# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/23417** ## Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there **Published: 2018-03-07** **Last Updated: 2018-03-07 03:53:31 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Ransomware+news+GlobeImposter+gets+a+facelift+GandCrab+is+still+out+there/23417/#comments) **_Introduction_** I recently found a wave of malicious spam (malspam) that started as early as Monday 201803-05 at 18:28 UTC and lasted through at least Tuesday 2018-03-06 at 14:44 UTC. This wave of malspam had Word documents as file attachments, and these Word docs had macros designed to infect Windows hosts with ransomware. When I checked Monday evening, I infected one of my lab hosts with GlobeImposter ransomware. When I checked Tuesday morning, I saw GandCrab ransomware. This is interesting, because in 2018, I've seen very few examples of mass-distribution malspam pushing ransomware. So far in 2018, such malspam has been pushing mostly information stealers, backdoors, and cryptocurrency miners. So it's always noteworthy when I find something like this. Today's diary examines this wave of malspam, the infection traffic, and associated indicators. ----- _Shown above: Flow chart for an infection from this malspam._ **_The emails_** Patterns for these emails were consistent, but I couldn't match them to a specific campaign. Sending addresses, subject lines, email headers, and message text were all varied. The only consistent part of this malspam was the Word document attachments, which were all named " Resume.doc" with a space before the first letter. And even then, each attachment had a different file hash. ----- _Shown above: Screenshot from the spreadsheet tracker with 24 email samples._ _Shown above: Screenshot from one of the emails._ **_The attachments_** The attachments were typical Word documents with malicious macros. They work similar to malicious macros seen in other malspam campaigns, using Powershell to retrieve a malware binary to infect a vulnerable Windows host. ----- _Shown above: One of the attached Word documents._ **_The traffic_** Infection traffic from Monday evening showed indicators of GlobeImposter ransomware. After the macro used Powershell to retrieve the ransomware binary from a server at 198.100.119.11, I saw an HTTP request to psoeiras.net for an IP address check. The URL [to psoeiras.net was similar to what I've documented before with GlobeImposter ransomware](https://www.malware-traffic-analysis.net/2017/12/21/index.html) infections. _Shown above: Traffic from an infection filtered in Wireshark on Monday evening (US time)._ When I checked again Tuesday morning, I saw the same URL to 198.100.119.11 for a ransomware binary However, this time, the follow-up HTTP request for the IP address check went to nomoreransom.coin, with follow-up DNS queries for nomoreransom.bit and **_[gandcrab.bit. These domains are typical for what I've previously documented with](https://isc.sans.edu/forums/diary/GandCrab+Ransomware+Now+Coming+From+Malspam/23321/)_** GandCrab ransomware. ----- _Shown above: Traffic from an infection filtered in Wireshark on Tuesday morning (US time)._ **_Forensics on an infected Windows host_** The GandCrab ransomware sample didn't encrypt any files on my lab host, but the GlobeImposter binary did. All files encrypted by the GlobeImposter sample used a .gif file extension. Previous samples of GlobeImposter I'd tested in December 2017 used **_Read__ME.html for the decryption instructions, but this 2018 sample used Read__ME.txt._** The GlobeImposter decryptor seen through my Tor browser had a visual upgrade with a nice background image, but it still had the same basic setup as before. _Shown above: Encrypted files on a Windows host infected with GlobeImposter._ ----- _Shown above: GlobeImposter decryption instructions._ ----- _Shown above: GlobeImposter decryptor viewed on a Tor browser._ The GlobeImposter infection stayed persistent on my infected lab host through the Windows registry. Like many malware samples I've seen, this one used the **_HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. However, the_** binary used for persistence was not the same binary used during the initial infection. The persistent binary for this GlobeImposter infection was only 22,528 bytes. ----- _Shown above: Malware made persistent on my host infected with GlobeImposter._ **_Indicators_** See below for a list of URLs, domains, and file hashes associated with this malspam. SHA256 hashes for all attachments named " Resume.doc": 02d9a2643082ee6751472cfbe4760a3d9afb00a263c698eca3b748d012fcb66a 05ec663bd1c8521f48affc6dfebf0a6fe410711b70096b5c4be2bac37c7f262b 4027d8bad7ae8b5f2a88f414417ced73a50ee5fa0d60bf4d5395dc8953037b3c 43d2c9efb6cc5907f7c04c719e83c3404b629bbf849c83fb053b6f23ddf84d81 4b4ade15d6ed8eba53d1064170dee191e07da1baafeeecc3b8fdb4803a44a628 50994124ce7d6ebc5b59b29e4278eb78997726d8e6cb902a8ccc437e4fda1a6d 5490b18af502fa3a576ff5612eefff34dd75edd7bd567519f2b25da1d885de60 56e6c1521070d58e525bad12d222c04952676c4b0d77136c9720a3263f9c557f 6242c95fed475bc708c49b2bb7ad292f43d42fbcbd0b68502db01ea4a44ae656 63f070add2cd6b6a6c212c82f1003b35fd45c4ae8787a2da2ec9e16c5e16c0e5 ----- 69e706c4ddcd8ea4e9f0745e5bdcef760b0e553549bf26526ef51746244f292c 6a193b0362506748a165b320f72bcd2d149760d66f287bc2271f30328a11181e 72d18a2df77c75fc3949f34c37e0339039a211e2086fab5c92d2b41064fb5030 75e92c7e36ff1cac3cff5b11426916d64b7956022cb668f4f675f3f2fc0e7fe7 767b6094e57e940540192fceb1fe31c8311588d998d6f71a4099623fec0d5488 92e56ae3f7f014ae8f348e0dc6c2a68936dc878d56e4c9b777202a9000fd6899 9d41bb0167c7a19d69be0eb29920054e9b8cfa132a89129b31ecaa3338887e1d a77afbcc935a6c0290e0a290f10913f343be31d955ce7f2f2446e605a0d89165 a84730972266ee371c8a5b9906102842f9834b6bd36413f8e15808aa79d1c136 a96c1911b31beaa2d6fedc654fb568e0ee82160d439e4ac38d53c24a441b0436 b8ccfed35c590ab7bb1fd619eb085905515fde9c6dff7f592b391a516f8cc52a cb32fc84a036ab47b60569b3fdc718de9858555b349c90e188a8b7cd4602a264 ee6b7d944abaec4cb3bc2780489f81d337724164d76c2056d37cc225ea57a6d5 The following are malware samples retrieved from my infected lab hosts: SHA256 hash: [61bed70b1568fce8dc67c91bab1884027631bdf2c8b8ba63d54ce32d7e429a76](https://www.virustotal.com/en/file/61bed70b1568fce8dc67c91bab1884027631bdf2c8b8ba63d54ce32d7e429a76/analysis/) File size: 223,744 bytes File location: C:\Users\[username]\AppData\Local\Temp\41097.exe File description: GandCrab ransomware SHA256 hash: [d6535b7caf79cc9b624e5f8878aa1d8717bdd84778fde47caad4ed75e322ef97](https://www.virustotal.com/en/file/d6535b7caf79cc9b624e5f8878aa1d8717bdd84778fde47caad4ed75e322ef97/analysis/) File size: 867,840 bytes File location: C:\Users\[username]\AppData\Local\Temp\41097.exe File description: GlobeImposter ransomware SHA256 hash: [41056643ee135ac0fce3237d69b32370102887b22c0250e2e0b515b25f525183](https://www.virustotal.com/en/file/41056643ee135ac0fce3237d69b32370102887b22c0250e2e0b515b25f525183/analysis/) File size: 22,528 bytes File location: C:\Users\[username]\AppData\Roaming\Microsoft\wmon32.exe File description: Executable persistent for the GlobeImposter ransomware infection The following are URLs and domains associated with these infections: 198.100.119.11 port 80 - 198.100.119.11 - GET /d1.jpg?rnd=53171 (returned ransomware binaries) 74.220.219.67 port 80 - psoeiras.net - GET /count.php?nu=103 (IP address check from GlobeImposter) 66.171.248.178 port 80 - nomoreransom.coin - GET / (IP address check from GandCrab) **_nomoreransom.bit (domain associated with GandCrab)_** ----- **_gandcrab.bit (domain associated with GandCrab)_** **_hxxp://djfl3vltmo36vure.onion/sdlskglkehhr (GlobeImposter decryptor)_** **_Final words_** Although ransomware is down compared to last year, every once in a while we still see a wave of malspam like this, pushing recent ransomware families seen in prior massdistribution campaigns. So far in 2018, GlobeImposter and GandCrab are the only ones I've seen in mass-distribution malspam. However, these recent samples don't seem to be any more dangerous now than they were before. As always, properly-administered Windows hosts are unlikely to get infected. To infect their computers, users would have to ignore multiple warnings to retrieve and activate the malicious Word document, which includes bypassing Protected View. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or [AppLocker to prevent these types of infections.](https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx) [Pcap and malware samples for today's diary can be found here.](https://www.malware-traffic-analysis.net/2018/03/07/index.html) --Brad Duncan brad [at] malware-traffic-analysis.net Keywords: [0 comment(s)](https://isc.sans.edu/forums/diary/Ransomware+news+GlobeImposter+gets+a+facelift+GandCrab+is+still+out+there/23417/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/23417) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----