Ransomware .3v3ris IEncrypt

Fabian Sequeira
Nov 6 · 2 min read

On Monday, November 4, 2019, several Spanish companies suffering a security incident, including Everis. Beyond the event, a small analysis of the different reports and comments on the impact they suffered from this type of ramsonware IEncrypt.

1. Indicators of compromise

The threat phases are:
1. An everis user access to a compromised website where the source code was modified to show a fake browser update and download a file.
2. The file is a JavaScript code (JS) which infects the device with a C2C malware categorized as “EMOTET”. This JavaScript creates additional exe files.
3. Once the attackers controls the infected device, install a PowerShell post explotation framework called Empire1. With Empire Framework in the infected device, the attacker enumerates the network and get credentials form the infected device cache. With this, different Empire installations is seen in different hosts and servers.
4. Attackers distribute a ransomware family called “BitPaymer/IEncrypt” to everis devices through compromised hosts and servers

1.1.1 Compromised website

A compromised website with a modification of the source code to simulate a fake browser update.

URL: hxxps://esancendoc[.]esan[.]edu[.]pe/ — Compromised website

1.1.2 Malicious file

Compromised website downloads a JS file “Chrome.Update.3f61f4.js”. JS script is a Dropper which downloads “crhome.update.3f61f4.exe” categorized as EMOTET. An additional exe “d0409052256c6efc85b155f58cc03f70.exe” file is created and executed.

file encrypted

Indicators of Compromise

Chrome.Update.3f61f4.js

MD5: a9db3444e9c50da5ce6845ccc116255c
MD5: c1a5725f45e6a35bd82852210e29f941

URL to download the malware

URL: hxxps://click[.]clickanalytics208[.]com/s_code[.]js?cid=240&v=73a55f6de3dee2a751c3

EMOTET — crhome.update.3f61f4.exe

SHA256: 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c

IP: 195.123.213.19
Port: 443

EMOTET — d0409052256c6efc85b155f58cc03f70.exe

SHA256: 1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05

1.1.3 Lateral movement

Lateral movement is performed by the attacker through the PowerShell post-explotation framework called Empire. Lateral movement was performed through sysinternals tool “psexesvc.exe”.

Indicators of Compromise

Empire Framework

IP: 185.92.74.215
Port: 443

1.1.4 Infection

Malware is distributed from compromised assets to affected endpoints.

Indicators of Compromise

BitPaymer/IEncrypt

SHA256: bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f — evrs.exe

Engines detected file

Additional Data

http://109[.]176.117.11/362611986ed4/page
http://109[.]176.117.11:8000/
http://109[.]176.117.11:8080/362611986ed4/page
http://5[.]100.251.106:52057
http://5[.]100.251.106:443/64.exe

5[.]100.251.106
109[.]176.117.11

Email to response

sydney.wiley[@]protonmail.com
evangelina.mathews[@]tutanota.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade