The Zepto ransomware was once again spotted, this time in a new version, Netskope Threat Research Labs reported.
As before, users receive spam emails with eye catching titles and messages to mislead them into reading and downloading the infected files. The extension the files use is Windows Script File (.wsf) so Windows would create a desktop icon similar to a spreadsheet icon. It is even named spreadsheet_286..wsf which can trick even the most cautious user into thinking that the attachment is legitimate. Then different cloud applications such as Microsoft OneDrive, Google Drive, Box, Dropbox, etc. spread the file among their users.
“We have observed sharing and collaboration in cloud apps to represent an often ill-considered secondary propagation vector for malware.” Netskope Threat researchers said.
When the file is uploded in the cloud application, it could be easily mistaken as legitimate and executed within the protected domain.
As said, Zepto uses the “.wsf” extension as opposed to regular JavaScript files. When being executed by Microsoft Windows Script Host the two scripting languages Jscript and VBScript merge into one file. This mixing of languages allows the attacker to avoid detection engines depending on emulation of one language.
A zip file shared on Microsoft OneDrive was detected by Netskope Active Threat Protection. It contained a malicious script file with the .wsf extension with two “.”s in the name. It was very obfuscated and started with tag. Even when de-obfuscated the script is still encoded using string substitution encoding in which the strings are split into multiple variables in order to make the manual more difficult to analyse. These variables can be echoed by “WScript.Echo()” to help understand the behavior of the script. Once we echo them we can expose the script`s purpose.
First, it downloads the main Zepto payload in encrypted format and then uses a code to decrypt it. The script will safe a folder named “HRKFnZpT.exe” for later execution.
Similar to the way Locky ransomware operates, Zepto will only execute its payload if the correct parameter “321” is supplied. In this case it did not execute under VMware even after correct parameter was supplied which may mean that there are anti-VM checks in the binary. Once the anti-VM checks are out of its way the payload executes itself and sends the collected information to the attacker.
After the Zepto`s server receive the information, it will send back the RSA key needed for encryption. The encrypted files will be with a “.zepto” extension and will also include the victim ID. These two files will appear on the desktop “_HELP_instructions.bmp” and “_HELP_instructions.html” as well as a ransom warning wallpaper.
