Fake COVID-19 survey hides ransomware in Canadian university
attack
Published: 2020-10-27 · Archived: 2026-04-10 02:19:11 UTC
Nebula support
OneView support
Nebula sign in
OneView sign in
Partner Portal sign in
Products
Partners
Resources
Why ThreatDown
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 4 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 5 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 6 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 7 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 8 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 9 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 10 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 11 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 12 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 13 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 14 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 15 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 16 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 17 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 18 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 19 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 20 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 21 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 22 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 23 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 24 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 25 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 26 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 27 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 28 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 29 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 30 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 31 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 32 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 33 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 34 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 35 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 36 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 37 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 38 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 39 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 40 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 41 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 42 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 43 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 44 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 45 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 46 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 47 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 48 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 49 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 50 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 51 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 52 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 53 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 54 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 55 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 56 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 57 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 58 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 59 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 60 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 61 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 62 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 63 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 64 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 65 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 66 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 67 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 68 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 69 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 70 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 71 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 72 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 73 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 74 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 75 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 76 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 77 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 78 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
Article continues below this ad.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 79 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 80 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 81 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 82 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 83 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 84 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 85 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 86 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 87 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 88 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 89 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 90 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 91 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 92 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 93 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 94 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 95 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 96 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 97 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 98 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 99 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 100 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 101 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 102 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 103 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 104 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 105 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 106 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 107 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 108 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 109 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 110 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 111 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 112 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 113 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 114 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 115 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 116 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 117 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 118 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 119 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 120 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 121 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 122 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 123 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 124 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 125 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 126 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 127 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 128 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 129 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 130 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 131 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 132 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 133 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 134 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 135 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 136 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 137 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 138 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 139 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 140 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 141 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 142 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 143 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 144 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 145 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 146 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 147 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 148 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 149 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 150 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 151 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 152 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 153 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 154 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 155 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 156 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 157 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 158 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 159 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 160 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 161 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 162 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 163 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 164 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 165 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 166 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 167 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 168 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 169 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 170 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 171 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 172 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 173 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 174 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 175 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 176 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 177 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 178 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 179 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 180 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 181 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 182 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 183 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 184 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 185 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 186 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 187 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 188 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 189 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 190 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 191 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 192 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 193 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 194 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 195 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 196 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 197 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 198 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 199 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 200 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 201 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 202 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 203 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 204 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 205 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 206 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 207 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 208 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 209 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 210 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 211 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 212 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 213 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 214 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 215 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 216 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 217 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 218 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 219 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 220 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 221 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 222 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 223 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 224 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 225 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 226 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 227 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 228 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 229 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 230 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 231 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 232 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 233 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 234 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 235 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 236 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 237 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 238 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 239 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 240 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 241 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 242 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 243 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 244 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 245 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 246 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 247 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 248 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 249 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 250 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 251 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 252 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 253 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 254 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 255 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 256 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 257 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 258 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 259 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 260 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 261 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 262 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 263 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 264 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 265 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 266 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 267 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 268 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 269 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 270 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 271 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 272 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 273 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 274 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 275 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 276 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 277 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 278 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 279 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 280 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 281 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 282 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 283 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 284 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 285 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 286 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 287 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 288 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 289 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 290 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 291 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 292 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 293 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 294 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 295 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 296 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 297 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 298 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 299 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 300 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 301 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 302 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 303 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 304 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 305 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 306 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 307 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 308 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 309 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 310 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 311 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 312 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 313 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 314 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 315 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 316 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 317 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 318 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 319 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 320 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 321 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 322 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 323 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 324 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 325 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 326 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 327 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 328 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 329 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 330 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 331 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 332 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 333 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 334 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 335 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 336 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 337 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 338 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 339 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 340 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 341 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 342 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 343 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 344 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 345 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 346 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 347 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 348 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 349 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 350 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 351 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 352 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 353 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 354 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 355 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 356 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 357 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 358 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 359 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 360 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 361 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 362 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 363 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 364 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 365 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 366 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 367 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 368 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 369 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 370 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 371 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 372 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 373 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 374 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 375 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 376 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 377 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 378 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 379 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 380 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 381 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 382 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 383 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 384 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 385 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 386 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 387 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 388 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 389 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 390 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 391 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 392 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 393 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 394 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 395 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 396 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 397 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 398 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 399 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 400 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 401 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 402 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 403 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 404 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 405 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 406 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 407 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 408 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 409 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 410 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 411 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 412 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 413 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 414 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 415 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 416 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 417 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 418 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 419 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 420 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 421 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 422 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 423 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 424 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 425 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 426 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 427 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 428 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 429 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 430 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 431 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 432 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 433 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 434 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 435 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 436 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 437 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 438 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 439 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 440 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 441 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 442 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 443 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 444 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 445 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 446 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 447 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 448 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 449 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 450 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 451 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 452 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 453 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 454 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 455 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 456 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 457 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 458 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 459 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 460 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 461 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 462 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 463 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 464 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 465 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 466 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 467 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 468 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 469 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 470 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 471 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 472 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 473 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 474 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 475 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 476 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 477 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 478 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 479 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 480 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 481 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 482 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 483 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 484 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 485 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 486 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 487 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 488 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 489 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 490 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 491 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 492 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 493 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 494 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 495 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 496 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 497 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 498 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 499 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 500 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 501 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 502 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 503 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 504 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 505 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 506 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 507 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 508 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 509 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 510 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 511 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 512 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 513 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 514 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 515 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 516 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 517 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 518 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 519 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 520 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 521 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 522 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 523 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 524 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 525 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 526 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 527 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 528 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 529 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 530 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 531 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 532 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 533 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 534 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 535 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 536 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 537 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 538 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 539 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 540 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 541 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 542 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 543 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 544 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 545 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 546 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 547 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 548 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 549 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 550 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 551 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 552 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 553 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 554 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 555 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 556 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 557 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 558 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 559 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 560 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 561 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 562 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 563 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 564 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 565 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 566 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 567 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 568 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 569 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 570 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 571 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 572 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 573 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 574 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 575 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 576 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 577 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 578 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 579 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 580 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 581 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 582 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 583 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 584 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 585 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 586 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 587 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 588 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 589 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 590 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 591 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 592 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 593 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 594 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 595 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 596 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 597 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 598 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 599 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 600 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 601 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 602 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 603 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 604 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 605 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 606 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 607 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 608 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 609 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 610 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 611 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 612 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 613 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 614 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 615 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 616 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 617 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 618 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 619 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 620 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 621 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 622 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 623 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 624 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 625 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 626 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 627 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 628 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 629 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 630 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 631 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 632 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 633 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 634 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 635 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 636 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 637 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 638 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 639 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 640 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 641 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 642 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 643 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 644 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 645 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 646 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 647 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 648 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 649 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 650 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 651 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 652 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 653 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 654 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 655 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 656 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 657 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 658 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 659 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 660 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 661 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 662 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 663 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 664 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 665 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 666 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 667 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 668 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 669 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 670 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 671 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 672 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 673 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 674 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 675 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 676 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 677 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 678 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 679 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 680 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 681 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 682 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 683 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 684 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 685 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 686 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 687 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 688 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 689 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 690 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 691 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 692 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 693 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 694 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 695 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 696 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 697 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 698 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 699 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 700 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 701 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 702 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 703 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 704 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 705 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 706 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 707 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 708 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 709 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 710 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 711 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 712 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 713 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 714 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 715 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 716 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 717 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 718 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 719 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 720 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 721 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 722 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 723 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 724 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 725 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 726 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 727 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 728 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 729 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 730 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 731 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 732 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 733 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 734 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 735 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 736 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 737 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 738 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 739 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 740 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 741 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 742 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 743 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 744 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 745 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 746 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 747 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 748 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 749 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 750 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 751 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 752 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 753 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 754 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 755 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 756 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 757 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 758 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 759 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 760 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 761 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 762 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 763 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 764 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 765 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 766 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 767 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 768 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 769 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 770 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 771 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 772 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 773 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 774 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 775 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 776 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 777 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 778 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 779 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 780 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 781 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 782 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 783 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 784 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 785 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 786 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 787 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 788 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 789 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 790 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 791 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 792 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 793 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 794 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 795 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 796 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 797 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 798 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 799 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 800 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 801 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 802 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 803 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 804 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 805 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 806 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 807 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 808 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 809 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 810 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 811 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 812 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 813 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 814 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 815 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 816 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 817 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 818 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 819 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 820 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 821 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 822 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 823 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 824 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 825 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 826 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 827 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 828 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 829 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 830 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 831 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 832 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 833 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 834 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 835 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 836 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 837 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 838 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 839 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 840 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 841 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 842 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 843 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 844 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 845 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 846 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 847 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 848 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 849 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 850 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 851 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 852 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 853 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 854 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 855 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 856 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 857 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 858 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 859 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 860 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 861 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 862 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 863 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 864 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 865 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 866 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 867 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 868 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 869 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 870 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 871 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 872 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 873 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 874 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 875 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 876 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 877 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 878 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 879 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 880 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 881 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 882 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 883 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 884 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 885 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 886 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 887 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 888 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 889 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 890 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 891 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 892 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 893 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 894 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 895 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 896 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 897 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 898 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 899 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 900 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 901 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 902 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 903 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 904 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 905 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 906 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 907 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 908 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 909 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 910 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 911 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 912 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 913 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 914 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 915 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 916 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 917 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 918 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 919 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 920 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 921 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 922 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 923 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 924 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 925 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 926 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 927 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 928 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 929 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 930 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 931 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 932 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 933 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 934 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 935 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 936 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 937 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 938 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 939 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 940 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 941 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 942 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 943 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 944 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 945 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 946 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 947 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 948 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 949 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 950 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 951 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 952 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 953 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 954 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 955 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 956 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 957 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 958 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 959 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 960 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 961 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 962 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 963 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 964 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 965 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 966 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 967 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 968 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 969 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 970 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 971 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 972 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 973 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 974 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 975 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 976 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 977 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 978 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 979 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 980 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 981 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 982 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 983 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 984 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 985 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 986 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 987 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 988 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 989 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 990 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 991 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 992 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 993 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 994 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 995 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 996 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 997 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 998 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 999 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1000 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1001 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1002 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1003 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1004 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1005 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1006 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1007 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1008 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1009 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1010 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1011 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1012 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1013 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1014 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1015 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1016 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1017 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1018 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1019 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1020 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1021 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1022 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1023 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1024 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1025 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1026 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1027 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1028 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1029 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1030 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1031 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1032 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1033 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1034 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1035 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1036 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1037 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1038 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1039 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1040 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1041 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1042 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1043 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1044 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1045 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1046 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1047 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1048 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1049 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1050 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1051 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1052 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1053 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1054 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1055 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1056 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1057 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1058 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1059 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1060 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1061 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1062 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1063 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1064 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1065 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1066 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1067 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1068 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1069 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1070 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1071 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1072 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1073 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1074 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1075 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1076 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1077 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1078 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1079 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1080 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1081 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1082 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1083 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1084 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1085 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1086 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1087 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1088 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1089 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1090 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1091 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1092 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1093 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1094 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1095 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1096 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1097 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1098 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1099 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1100 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1101 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1102 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1103 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1104 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1105 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1106 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1107 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1108 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1109 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1110 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1111 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1112 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1113 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1114 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1115 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1116 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1117 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1118 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1119 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1120 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1121 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1122 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1123 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1124 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1125 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1126 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1127 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1128 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1129 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1130 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1131 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1132 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1133 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1134 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1135 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1136 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1137 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1138 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1139 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1140 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1141 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1142 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1143 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1144 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1145 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1146 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1147 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1148 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1149 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1150 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1151 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1152 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1153 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1154 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1155 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1156 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1157 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1158 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1159 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1160 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1161 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1162 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1163 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1164 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1165 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1166 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1167 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1168 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1169 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1170 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1171 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1172 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1173 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1174 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1175 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1176 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1177 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1178 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1179 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1180 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1181 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1182 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1183 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1184 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1185 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1186 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1187 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1188 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1189 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1190 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1191 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1192 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1193 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1194 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1195 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1196 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1197 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1198 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1199 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1200 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1201 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1202 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1203 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1204 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1205 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1206 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1207 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1208 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1209 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1210 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1211 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1212 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1213 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1214 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1215 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1216 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1217 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1218 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1219 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1220 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1221 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1222 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1223 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1224 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1225 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1226 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1227 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1228 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1229 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1230 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1231 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1232 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1233 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1234 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1235 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1236 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1237 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1238 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1239 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1240 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1241 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1242 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1243 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1244 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1245 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1246 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1247 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1248 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1249 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1250 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1251 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1252 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1253 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1254 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1255 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1256 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1257 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1258 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1259 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1260 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1261 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1262 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1263 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1264 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1265 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1266 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1267 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1268 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1269 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1270 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1271 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1272 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1273 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1274 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1275 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1276 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1277 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1278 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1279 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1280 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1281 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1282 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1283 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1284 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1285 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1286 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1287 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1288 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1289 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1290 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1291 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1292 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1293 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1294 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1295 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1296 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1297 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1298 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1299 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1300 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1301 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1302 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1303 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1304 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1305 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1306 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1307 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1308 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1309 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1310 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1311 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1312 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1313 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1314 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1315 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1316 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1317 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1318 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1319 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1320 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1321 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1322 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1323 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1324 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1325 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1326 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1327 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1328 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1329 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1330 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1331 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1332 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1333 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1334 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1335 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1336 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1337 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1338 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1339 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1340 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1341 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1342 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1343 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1344 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1345 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1346 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1347 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1348 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1349 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1350 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1351 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1352 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1353 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1354 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1355 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1356 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1357 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1358 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1359 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1360 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1361 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1362 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1363 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1364 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1365 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1366 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1367 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1368 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1369 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1370 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1371 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1372 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1373 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1374 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1375 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1376 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1377 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1378 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1379 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1380 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1381 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1382 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1383 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1384 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1385 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1386 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1387 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1388 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1389 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1390 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1391 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1392 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1393 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1394 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1395 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1396 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1397 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1398 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1399 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1400 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1401 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1402 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1403 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1404 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1405 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1406 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1407 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1408 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1409 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1410 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1411 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1412 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1413 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1414 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1415 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1416 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1417 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1418 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1419 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1420 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1421 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1422 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1423 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1424 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1425 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1426 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1427 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1428 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1429 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1430 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1431 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1432 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1433 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1434 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1435 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1436 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1437 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1438 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1439 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1440 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1441 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1442 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1443 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1444 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1445 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1446 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1447 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1448 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1449 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1450 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1451 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1452 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1453 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1454 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1455 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1456 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1457 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1458 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1459 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1460 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1461 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1462 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1463 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1464 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1465 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1466 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1467 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1468 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1469 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1470 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1471 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1472 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1473 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1474 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1475 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1476 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1477 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1478 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1479 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1480 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1481 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1482 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1483 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1484 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1485 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1486 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1487 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1488 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1489 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1490 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1491 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1492 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1493 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1494 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1495 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1496 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1497 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1498 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1499 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1500 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1501 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1502 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1503 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1504 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1505 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1506 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1507 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1508 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1509 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1510 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1511 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1512 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1513 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1514 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1515 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1516 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1517 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1518 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1519 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1520 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1521 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1522 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1523 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1524 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1525 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1526 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1527 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1528 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1529 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1530 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1531 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1532 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1533 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1534 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1535 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1536 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1537 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1538 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1539 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1540 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1541 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1542 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1543 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1544 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1545 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1546 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1547 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1548 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1549 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1550 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1551 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1552 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1553 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1554 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1555 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1556 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1557 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1558 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1559 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1560 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1561 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1562 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1563 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1564 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1565 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1566 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1567 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1568 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1569 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1570 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1571 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1572 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1573 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1574 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1575 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1576 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1577 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1578 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1579 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1580 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1581 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1582 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1583 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1584 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1585 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1586 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1587 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1588 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1589 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1590 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1591 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1592 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1593 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1594 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1595 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1596 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1597 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1598 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1599 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1600 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1601 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1602 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1603 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1604 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1605 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1606 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1607 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1608 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1609 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1610 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1611 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1612 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1613 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1614 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1615 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1616 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1617 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1618 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1619 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1620 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1621 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1622 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1623 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1624 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1625 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1626 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1627 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1628 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1629 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1630 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1631 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1632 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1633 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1634 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1635 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1636 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1637 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1638 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1639 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1640 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1641 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1642 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1643 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1644 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1645 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1646 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1647 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1648 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1649 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1650 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1651 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1652 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1653 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1654 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1655 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1656 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1657 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1658 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1659 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1660 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1661 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1662 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1663 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1664 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1665 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1666 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1667 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1668 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1669 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1670 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1671 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1672 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1673 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1674 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1675 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1676 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1677 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1678 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1679 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1680 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1681 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1682 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1683 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1684 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1685 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1686 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1687 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1688 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1689 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1690 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1691 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1692 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1693 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1694 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1695 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1696 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1697 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1698 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1699 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1700 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1701 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1702 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1703 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1704 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1705 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1706 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1707 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1708 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1709 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1710 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1711 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1712 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1713 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1714 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1715 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1716 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1717 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1718 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1719 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1720 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1721 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1722 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1723 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1724 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1725 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1726 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1727 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1728 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1729 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1730 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1731 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1732 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1733 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1734 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1735 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1736 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1737 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1738 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1739 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1740 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1741 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1742 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1743 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1744 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1745 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1746 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1747 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1748 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1749 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1750 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1751 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1752 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1753 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1754 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1755 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1756 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1757 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1758 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1759 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1760 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1761 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1762 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1763 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1764 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1765 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1766 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1767 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1768 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1769 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1770 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1771 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1772 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1773 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1774 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1775 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1776 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1777 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1778 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1779 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1780 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1781 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1782 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1783 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1784 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1785 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1786 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1787 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1788 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1789 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1790 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1791 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1792 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1793 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1794 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1795 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1796 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1797 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1798 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1799 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1800 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1801 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1802 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1803 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1804 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1805 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1806 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1807 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1808 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1809 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1810 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1811 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1812 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1813 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1814 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1815 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1816 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1817 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1818 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1819 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1820 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1821 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1822 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1823 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1824 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1825 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1826 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1827 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1828 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1829 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1830 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1831 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1832 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1833 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1834 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1835 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1836 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1837 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1838 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1839 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1840 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1841 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1842 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1843 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1844 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1845 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1846 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1847 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1848 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1849 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1850 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1851 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1852 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1853 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1854 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1855 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1856 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1857 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1858 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1859 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1860 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1861 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1862 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1863 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1864 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1865 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1866 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1867 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1868 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1869 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1870 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1871 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1872 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1873 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1874 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1875 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1876 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1877 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1878 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1879 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1880 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1881 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1882 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1883 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1884 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1885 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1886 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1887 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1888 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1889 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1890 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1891 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1892 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1893 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1894 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1895 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1896 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1897 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1898 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1899 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1900 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1901 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1902 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1903 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1904 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1905 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1906 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1907 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1908 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1909 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1910 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1911 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1912 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1913 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1914 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1915 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1916 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1917 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1918 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1919 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1920 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1921 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1922 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1923 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1924 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1925 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1926 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1927 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1928 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1929 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1930 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1931 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1932 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1933 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1934 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1935 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1936 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1937 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1938 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1939 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1940 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1941 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1942 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1943 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1944 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1945 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1946 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1947 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1948 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1949 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1950 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1951 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1952 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1953 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1954 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1955 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1956 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1957 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1958 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1959 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1960 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1961 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1962 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1963 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1964 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1965 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1966 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1967 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1968 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1969 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1970 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1971 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1972 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1973 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1974 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1975 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1976 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1977 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1978 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1979 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1980 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1981 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1982 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1983 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1984 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1985 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1986 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1987 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1988 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1989 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1990 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1991 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1992 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1993 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1994 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1995 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1996 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1997 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1998 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 1999 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2000 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2001 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2002 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2003 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2004 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2005 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2006 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2007 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2008 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2009 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2010 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2011 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2012 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2013 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2014 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2015 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2016 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2017 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2018 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2019 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2020 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2021 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2022 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2023 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2024 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2025 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2026 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2027 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2028 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2029 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2030 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2031 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2032 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2033 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2034 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2035 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2036 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2037 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2038 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2039 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2040 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2041 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2042 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2043 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2044 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2045 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2046 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2047 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2048 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2049 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2050 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2051 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2052 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2053 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2054 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2055 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2056 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2057 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2058 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2059 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2060 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2061 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2062 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2063 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2064 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2065 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2066 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2067 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2068 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2069 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2070 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2071 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2072 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2073 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2074 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2075 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2076 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2077 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2078 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2079 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2080 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2081 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2082 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2083 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2084 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2085 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2086 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2087 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2088 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2089 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2090 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2091 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2092 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2093 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2094 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2095 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2096 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2097 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2098 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2099 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2100 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2101 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2102 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2103 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2104 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2105 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2106 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2107 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2108 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2109 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2110 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2111 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2112 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2113 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2114 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2115 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2116 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2117 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2118 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2119 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2120 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2121 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2122 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2123 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2124 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2125 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2126 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2127 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2128 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2129 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2130 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2131 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2132 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2133 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2134 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2135 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2136 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2137 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2138 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2139 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2140 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2141 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2142 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2143 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2144 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2145 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2146 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2147 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2148 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2149 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2150 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2151 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2152 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2153 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2154 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2155 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2156 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2157 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2158 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2159 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2160 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2161 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2162 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2163 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2164 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2165 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2166 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2167 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2168 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2169 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2170 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2171 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2172 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2173 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2174 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2175 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2176 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2177 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2178 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2179 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2180 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2181 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2182 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2183 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2184 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2185 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2186 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2187 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2188 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2189 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2190 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2191 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2192 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2193 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2194 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2195 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2196 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2197 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2198 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2199 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2200 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2201 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2202 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2203 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2204 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2205 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2206 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2207 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2208 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2209 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2210 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2211 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2212 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2213 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2214 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2215 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2216 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2217 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2218 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2219 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2220 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2221 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2222 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2223 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2224 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2225 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2226 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2227 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2228 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2229 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2230 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2231 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2232 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2233 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2234 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2235 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2236 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2237 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2238 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2239 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2240 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2241 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2242 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2243 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2244 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2245 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2246 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2247 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2248 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2249 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2250 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2251 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2252 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2253 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2254 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2255 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2256 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2257 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2258 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2259 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2260 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2261 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2262 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2263 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2264 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2265 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2266 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2267 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2268 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2269 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2270 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2271 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2272 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2273 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2274 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2275 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2276 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2277 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2278 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2279 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2280 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2281 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2282 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2283 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2284 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2285 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2286 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2287 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2288 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2289 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2290 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2291 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2292 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2293 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2294 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2295 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2296 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2297 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2298 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2299 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2300 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2301 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2302 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2303 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2304 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2305 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2306 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2307 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2308 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2309 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2310 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2311 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2312 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2313 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2314 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2315 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2316 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2317 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2318 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2319 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2320 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2321 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2322 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2323 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2324 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2325 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2326 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2327 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2328 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2329 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2330 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2331 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2332 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2333 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2334 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2335 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2336 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2337 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2338 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2339 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2340 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2341 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2342 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2343 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2344 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2345 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2346 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2347 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2348 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2349 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2350 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2351 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2352 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2353 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2354 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2355 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2356 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2357 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2358 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2359 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2360 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2361 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2362 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2363 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2364 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2365 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2366 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2367 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2368 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2369 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2370 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2371 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2372 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2373 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2374 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2375 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2376 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2377 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2378 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2379 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2380 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2381 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2382 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2383 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2384 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2385 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2386 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2387 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2388 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2389 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2390 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2391 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2392 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2393 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2394 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2395 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2396 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2397 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2398 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2399 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2400 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2401 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2402 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2403 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2404 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2405 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2406 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2407 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2408 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2409 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2410 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2411 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2412 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2413 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2414 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2415 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2416 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2417 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2418 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2419 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2420 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2421 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2422 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2423 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2424 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2425 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2426 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2427 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2428 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2429 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2430 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2431 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2432 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2433 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2434 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2435 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2436 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2437 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2438 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2439 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2440 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2441 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2442 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2443 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2444 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2445 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2446 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2447 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2448 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2449 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2450 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2451 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2452 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2453 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2454 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2455 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2456 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2457 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2458 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2459 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2460 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2461 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2462 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2463 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2464 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2465 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2466 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2467 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2468 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2469 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2470 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2471 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2472 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2473 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2474 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2475 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2476 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2477 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2478 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2479 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2480 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2481 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2482 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2483 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2484 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2485 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2486 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2487 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2488 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2489 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2490 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2491 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2492 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2493 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2494 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2495 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2496 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2497 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2498 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2499 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2500 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2501 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2502 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2503 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2504 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2505 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2506 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2507 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2508 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2509 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2510 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2511 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2512 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2513 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2514 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2515 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2516 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2517 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2518 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2519 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2520 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2521 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2522 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2523 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2524 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2525 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2526 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2527 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2528 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2529 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2530 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2531 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2532 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2533 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2534 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2535 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2536 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2537 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2538 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2539 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2540 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2541 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2542 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2543 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2544 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2545 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2546 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2547 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2548 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2549 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2550 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2551 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2552 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2553 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2554 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2555 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2556 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2557 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2558 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2559 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2560 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2561 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2562 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2563 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2564 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2565 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2566 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2567 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2568 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2569 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2570 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2571 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2572 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2573 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2574 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2575 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2576 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2577 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2578 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2579 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2580 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2581 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2582 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2583 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2584 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2585 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2586 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2587 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2588 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2589 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2590 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2591 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2592 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2593 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2594 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2595 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2596 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2597 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2598 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2599 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2600 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2601 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2602 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2603 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2604 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2605 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2606 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2607 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2608 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2609 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2610 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2611 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2612 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2613 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2614 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2615 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2616 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2617 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2618 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2619 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2620 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2621 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2622 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2623 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2624 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2625 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2626 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2627 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2628 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2629 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2630 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2631 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2632 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2633 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2634 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2635 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2636 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2637 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2638 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2639 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2640 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2641 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2642 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2643 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2644 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2645 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2646 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2647 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2648 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2649 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2650 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2651 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2652 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2653 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2654 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2655 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2656 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2657 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2658 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2659 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2660 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2661 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2662 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2663 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2664 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2665 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2666 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2667 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2668 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2669 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2670 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2671 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2672 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2673 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2674 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2675 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2676 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2677 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2678 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2679 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2680 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2681 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2682 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2683 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2684 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2685 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2686 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2687 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2688 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2689 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2690 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2691 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2692 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2693 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2694 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2695 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2696 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2697 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2698 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2699 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2700 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2701 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2702 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2703 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2704 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2705 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2706 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2707 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2708 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2709 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2710 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2711 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2712 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2713 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2714 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2715 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2716 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2717 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2718 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2719 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2720 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2721 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2722 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2723 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2724 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2725 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2726 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2727 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2728 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2729 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2730 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2731 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2732 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2733 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2734 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2735 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2736 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2737 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2738 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2739 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2740 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2741 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2742 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2743 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2744 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2745 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2746 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2747 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2748 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2749 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2750 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2751 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2752 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2753 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2754 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2755 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2756 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2757 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2758 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2759 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2760 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2761 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2762 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2763 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2764 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2765 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2766 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2767 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2768 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2769 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2770 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2771 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2772 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2773 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2774 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2775 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2776 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2777 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2778 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2779 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2780 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2781 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2782 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2783 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2784 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2785 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2786 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2787 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2788 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2789 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2790 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2791 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2792 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2793 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2794 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2795 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2796 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2797 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2798 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2799 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2800 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2801 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2802 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2803 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2804 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2805 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2806 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2807 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2808 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2809 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2810 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2811 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2812 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2813 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2814 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2815 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2816 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2817 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2818 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2819 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2820 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2821 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2822 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2823 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2824 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2825 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2826 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2827 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2828 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2829 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2830 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2831 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2832 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2833 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2834 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2835 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2836 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2837 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2838 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2839 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2840 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2841 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2842 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2843 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2844 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2845 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2846 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2847 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2848 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2849 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2850 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2851 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2852 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2853 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2854 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2855 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2856 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2857 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2858 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2859 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2860 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2861 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2862 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2863 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2864 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2865 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2866 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2867 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2868 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2869 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2870 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2871 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2872 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2873 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2874 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2875 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2876 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2877 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2878 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2879 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2880 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2881 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2882 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2883 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2884 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2885 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2886 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2887 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2888 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2889 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2890 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2891 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2892 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2893 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2894 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2895 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2896 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2897 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2898 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2899 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2900 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2901 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2902 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2903 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2904 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2905 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2906 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2907 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2908 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2909 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2910 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2911 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2912 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2913 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2914 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2915 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2916 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2917 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2918 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2919 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2920 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2921 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2922 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2923 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2924 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2925 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2926 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2927 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2928 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2929 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2930 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2931 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2932 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2933 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2934 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2935 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2936 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2937 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2938 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2939 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2940 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2941 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2942 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2943 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2944 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2945 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2946 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2947 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2948 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2949 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2950 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2951 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2952 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2953 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2954 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2955 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2956 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2957 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2958 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2959 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2960 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2961 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2962 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2963 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2964 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2965 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2966 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2967 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2968 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2969 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2970 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2971 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2972 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2973 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2974 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2975 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2976 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2977 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2978 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2979 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2980 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2981 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2982 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2983 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2984 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2985 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2986 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2987 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2988 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2989 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2990 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2991 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2992 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2993 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2994 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2995 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2996 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2997 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2998 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 2999 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3000 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3001 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3002 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3003 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3004 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3005 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3006 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3007 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3008 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3009 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3010 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3011 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3012 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3013 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3014 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3015 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3016 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3017 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3018 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3019 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3020 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3021 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3022 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3023 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3024 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3025 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3026 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3027 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3028 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3029 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3030 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3031 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3032 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3033 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3034 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3035 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3036 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3037 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3038 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3039 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3040 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3041 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3042 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3043 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3044 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3045 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3046 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3047 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3048 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3049 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3050 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3051 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3052 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3053 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3054 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3055 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3056 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3057 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3058 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3059 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3060 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3061 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3062 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3063 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3064 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3065 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3066 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3067 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3068 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3069 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3070 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3071 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3072 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3073 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3074 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3075 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3076 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3077 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3078 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3079 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3080 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3081 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3082 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3083 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3084 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3085 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3086 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3087 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3088 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3089 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3090 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3091 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3092 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3093 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3094 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3095 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3096 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3097 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3098 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3099 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3100 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3101 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3102 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3103 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3104 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3105 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3106 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3107 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3108 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3109 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3110 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3111 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3112 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3113 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3114 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3115 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3116 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3117 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3118 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3119 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3120 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3121 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3122 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3123 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3124 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3125 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3126 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3127 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3128 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3129 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3130 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3131 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3132 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3133 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3134 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3135 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3136 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3137 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3138 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3139 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3140 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3141 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3142 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3143 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3144 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3145 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3146 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3147 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3148 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3149 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3150 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3151 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3152 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3153 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3154 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3155 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3156 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3157 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3158 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3159 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3160 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3161 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3162 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3163 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3164 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3165 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3166 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3167 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3168 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3169 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3170 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3171 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3172 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3173 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3174 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3175 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3176 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3177 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3178 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3179 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3180 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3181 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3182 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3183 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3184 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3185 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3186 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3187 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3188 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3189 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3190 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3191 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3192 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3193 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3194 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3195 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3196 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3197 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3198 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3199 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3200 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3201 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3202 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3203 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3204 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3205 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3206 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3207 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3208 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3209 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3210 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3211 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3212 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3213 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3214 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3215 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3216 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3217 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3218 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3219 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3220 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3221 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3222 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3223 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3224 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3225 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3226 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3227 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3228 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3229 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3230 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3231 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3232 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3233 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3234 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3235 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3236 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3237 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3238 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3239 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3240 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3241 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3242 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3243 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3244 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3245 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3246 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3247 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3248 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3249 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3250 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3251 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3252 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3253 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3254 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3255 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3256 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3257 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3258 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3259 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3260 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3261 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3262 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3263 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3264 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3265 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3266 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3267 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3268 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3269 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3270 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3271 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3272 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3273 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3274 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3275 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3276 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3277 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3278 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3279 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3280 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3281 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3282 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3283 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3284 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3285 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3286 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3287 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3288 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3289 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3290 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3291 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3292 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3293 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3294 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3295 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3296 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3297 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3298 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3299 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3300 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3301 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3302 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3303 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3304 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3305 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3306 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3307 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3308 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3309 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3310 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3311 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3312 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3313 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3314 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3315 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3316 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3317 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3318 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3319 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3320 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3321 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3322 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3323 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3324 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3325 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3326 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3327 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3328 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3329 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3330 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3331 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3332 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3333 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3334 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3335 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3336 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3337 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3338 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3339 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3340 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3341 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3342 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3343 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3344 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3345 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3346 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3347 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3348 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3349 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3350 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3351 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3352 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3353 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3354 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3355 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3356 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3357 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3358 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3359 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3360 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3361 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3362 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3363 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3364 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3365 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3366 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3367 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3368 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3369 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3370 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3371 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3372 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3373 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3374 of 3467

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3375 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3376 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3377 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3378 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3379 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3380 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3381 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3382 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3383 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3384 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3385 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3386 of 3467

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3387 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3388 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3389 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3390 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3391 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3392 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3393 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3394 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3395 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3396 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3397 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3398 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3399 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3400 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3401 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3402 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3403 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3404 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3405 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3406 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3407 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3408 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3409 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3410 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3411 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3412 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3413 of 3467

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3414 of 3467

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3415 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3416 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3417 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3418 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3419 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3420 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3421 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3422 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3423 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3424 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3425 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3426 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3427 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3428 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3429 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3430 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3431 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3432 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3433 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3434 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3435 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3436 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3437 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3438 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3439 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3440 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3441 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3442 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3443 of 3467

who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3444 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3445 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3446 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3447 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3448 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3449 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3450 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3451 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3452 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3453 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed
to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the
University of British Columbia (UBC) with a fake COVID-19 survey.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3454 of 3467

However, this attack and motives are different than the ones previously documented. The survey is a malicious
Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.
On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing
campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was
not successful due to the rapid response of the UBC cybersecurity team.
Mandatory COVID-19 survey distributed to targeted recipients
The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net
and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto
Box and DropBox and used the share functionality from these platforms to distribute it.
This was probably done to evade spam and phishing filters that would have blocked messages coming from a
newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from
file sharing services without creating a number of false positives.
The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with
us by UBC):
Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a
mandatory survey with you that must be completed by Monday. It asks a few questions about how you
believe our company responded to the pandemic regarding remote working and much more. Please fill
it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities
include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees
who fill out the form for free! Simply sign your initials and put what you need as well as the quantity!
In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be
difficult!
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3455 of 3467

According to UBC, less than a hundred people within a specific department received the link to access the shared
document. A Box or Dropbox account was required in order to download the file since it was shared privately,
instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target
organization to already be using one of these two sharing services.
Phishing document analysis
The phishing document uses template injection to download and execute a remote template (template.dotm)
weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3456 of 3467

When the macro is executed, it does the following:
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3457 of 3467

Gets the %APPDATA% directory
Creates the Byxor directory in %APPDATA%
Downloads a file from the following url and writes it as Polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
Downloads a file from the following url and writes it as Killar.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
Calls shell function to execute killar.exe
Checks the output of shell function and whether it was successful (return value would be task Id of
executed application)
If successful, it sends a GET http request to:
canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
If it isn’t successful, it sends a GET http request to:
canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
We were able to identify four other variants of the remote templates and payloads. In some of the folders, we
found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the
language.
Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use
this type of service to get alerted for a particular event.
This can be very useful as an early warning notification system that an intruder has had access to a network. In
this case, the attacker is probably interested in how many people opened the document and perhaps where they are
from.
Vaggen ransomware
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3458 of 3467

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to
them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment
equivalent to 80 USD to be paid in Bitcoin.
The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go
which starts with the function denoted as ‘main_main’.
Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,
main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRen
A full list of the functions, along with their RVAs can be found here.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3459 of 3467

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of
XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is
hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.
Encrypting and renaming of the files is deployed as the callback of the standard Golang function:
path.filepath.Walk.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3460 of 3467

Files are encrypted with AES-256 (32 byte long key) in GCM mode.
The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,
generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3461 of 3467

The content of the output file (with .VAGGEN extension) contains:
the 12 bytes long nonce
the encrypted content
the 16 byte long GCM Tag
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3462 of 3467

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take
my heart my money”. Using this key, we can easily decrypt the content.
With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that
the malware author has not received any payment so far at this Bitcoin address.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3463 of 3467

Unusually low ransom amount
Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big
ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this
attack can be recovered from fairly easy.
However, the phishing attack was well conceived and the template looks well designed, with a nice touch of
adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.
Crawling additional repositories created by the threat actor, we found other Word template files that have used a
very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing
attack.
We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint
a better picture of this attack and understand who the targets were.
Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3464 of 3467

IOCs
Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3465 of 3467

polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp
Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe
Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3466 of 3467

Source: https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
Page 3467 of 3467