RAA, a ransomware discovered last June and found to incorporate the information-stealing trojan Pony, has evolved to more effectively target companies, encrypting victims' files and also stealing their data, most likely to infect their clients and business contacts as well, via spear phishing.
According to a Kaspersky Lab blog post via Securelist, the new variant, dubbed Trojan-Ransom.JS.RaaCrypt.ag, comes with several key new capabilities: it now arrives hidden in a password-protected zip archive attachment, and it can now perform offline encryption without having to request a key from the command-and-control server. Also, while its predecessor was written in Javascript, RAA #2 is coded in the similar JScript.
Kaspersky Lab first detected the variant in August 2016. “We found it when monitoring attachments to spam emails being distributed in the wild,” said Fedor Sinitsyn, Kaspersky senior malware analyst, in an email interview with SCMagazine.com.
Specifically targeting Russian-speaking countries, the spam emails containing RAA #2 are clearly directed at corporate employees, with a message that attempts to fool the recipient into thinking they are past due on a payment and may be subject to litigation. The message also claims that internal security regulations require the recipient to enter the password 111 in order to open the attached file.
“It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cybercriminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content. To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn't always possible,” explains the Kaspersky blog post, co-written by Sinitsyn and malware analyst Orkhan Mamedov.
Once installed, Trojan-Ransom.JS.RaaCrypt.ag operates much like the original version, opening an RTF file that poses as a Microsoft Word document in order to distract users while their files are encrypted. The encryption process itself, however, is quite different from before because RAA generates its own encryption key on the client rather than waiting to receive one from its C&C server.
While the original RAA ransomware sample asked for $250 in bitcoins, this version's ransom note didn't make a specific demand. “It only gave ways to contact the criminals via email or Bitmessage, and we didn't contact them to find out the sum,” said Sinitsyn. The note itself is written in perfect Russian, said Sinitsyn, and warns victims that their files are encrypted by the algorithm AES, which is used “to protect the state secret.”
Meanwhile, the Pony component of the malware, which resides as an executable inside of RAA's code, exfiltrates the infected machine's confidential data. “Using the stolen data, the cybercriminals can gain access to the victim's mail clients and other resources. We can assume that the owners of RAA use these resources to carry out targeted attacks – sending out emails with the cryptor malware to the addresses on the victim's contact list. This substantially improves the probability of subsequent infections,” the blog post explains.
