The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky".
Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.
Infection vector is email attachment with HTA file
Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file. Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.
The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, with the result the document will be opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contained the actual payload.
Spora Exhibits Worm-like Behavior Using .LNK files
Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead. Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive.
These hidden files and folders are, with the standard folder options, not visible anymore. Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.
Spora ransomware goes global
Data gathered by the ID-Ransomware service shows what was expected; Spora has started to spread to new territories outside former Soviet states. It was first spotted in the wild during the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users.
Last week, things changed, when Spora was identified in multiple ransomware distribtion campaigns. ID-Ransomware started registering uploads of Spora-encrypted files from users outside the former Soviet territory. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections. Treat this like a heads-up, America will follow shortly. Here is a current heatmap:
Spora now spreads via exploit kits and spam waves
A new development is that security researchers Brad Duncan and Malware Breakdown have now spotted RIG-v exploit kits spreading Spora, and it's only the start of things.
MalwareHunterTeam is keeping an eye on a malware distribution server that had been used to host multiple ransomware strains in the past few days, such as Cerber, Locky and Spora. This server had been used combined with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the distribution server.
Spora includes support for a "campaign ID," a parameter used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators. The jury is out if Spora has been made available as a Ransomware-as-a-Service offering, but what is sure is that this malware has now become a global threat.
Anyone bringing a USB stick to the office is now a possible ransomware infection vector.
Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone getting infected at the house with Spora and bringing their USB sticks to the office is now an infection vector.
The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release.