{"id":2799,"date":"2024-09-25T20:04:58","date_gmt":"2024-09-25T20:04:58","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2799"},"modified":"2025-07-29T06:40:08","modified_gmt":"2025-07-29T06:40:08","slug":"spider-ransomware-dusts-itself-off-and-continues-crawling","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/spider-ransomware-dusts-itself-off-and-continues-crawling\/","title":{"rendered":"Spider ransomware dusts itself off and continues crawling"},"content":{"rendered":"
\n
\"Spider<\/figure>\n<\/div>\n\n\n

After gaining headlines in December last year<\/a>, File Spider ransomware has returned to ring in the New Year with updated file hashes. As per last year\u2019s campaign, Balkan countries are the primary target with people in Bosnia and Herzegovina, Serbia, and Croatia the main victims.  <\/p>\n\n\n\n

Spam emails containing macro-enabled malicious Word documents are still the delivery method of choice, and upon successful infection File Spider gives victims 96 hours to pay the ransom before files are permanently deleted.<\/p>\n\n\n\n

Overview<\/strong><\/p>\n\n\n\n

Victims are sent an email masquerading as a debt collection notice. An attached document contains malicious macros which, once enabled, starts downloading the ransomware executables from a remote site.<\/p>\n\n\n\n

The macro contains Base64 encoded PowerShell script that when executed will download XOR encrypted files called \u201cenc.exe\u201d and \u201cdec.exe\u201d. <\/p>\n\n\n\n

Dec.exe is the decryptor and GUI for the ransomware. It quietly runs in the background until enc.exe, which is the encryptor, scans the local drivers and encrypts any files which match targeted extensions with AES-128-bit encryption.<\/p>\n\n\n\n

The URLs used to download the files are the same as December\u2019s campaign:<\/p>\n\n\n\n

\u2022    hxxp:\/\/yourjavascript[.]com\/5118631477\/javascript-dec-2-25-2.js

\u2022    hxxp:\/\/yourjavascript[.]com\/53103201277\/javascript-enc-1-0-9.js <\/p>\n\n\n\n

As mentioned earlier, the ransomware\u2019s file hashes have been updated for the New Year campaign. We believe the attackers have done so to evade detection as the December 2017 File Spider campaign gained significant media <\/a>coverage<\/a>.<\/p>\n\n\n\n

New hashes:<\/p>\n\n\n\n

\u2022    dec.exe: fdd465863a4c44aa678554332d20aee3

\u2022    enc.exe: 67d5abda3be629b820341d1baad668e3<\/p>\n\n\n\n

Old hashes:<\/p>\n\n\n\n

\u2022    dec.exe: 74e5096f09a031800216640a8455bc487e9a32b2e56fbad9d083c3810ed5488e

\u2022    enc.exe: 6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853<\/p>\n\n\n\n

This ransomware also has some unique features. It encrypts files in the victim’s PC but does not harm it, which means multiple anti-virus software are unable to detect it. It also remains present in the target system even after removal.<\/p>\n\n\n\n

File Details<\/strong>

 <\/p>\n\n\n\n

File Type <\/strong><\/td>Macro document (.docm) file<\/td><\/tr>
Md5 hash<\/strong> <\/td>de7b31517d5963aefe70860d83ce83b9<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong>

On analyzing the malicious document\u2019s macro code, it was found the document executes \u201cpowershell.exe\u201d and checks for the \u201cApplicationData\u201d folder as shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It then attempts to use a web client to download a file from the following URL:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

File Spider then drops \u201cenc.exe\u201d and \u201cdec.exe\u201d from the URLs mentioned above:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

These two files perform successful ransomware activities on the victim\u2019s PC using the following codes:\u00a0 \u00a0 <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\u00a0Dynamic Analysis<\/strong>

Our first step in dynamic analysis was to enable the macro content in a dedicated malware analysis environment:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



We then observed its activities:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The sample initiates the \u201cpowershell.exe\u201d process which tries to establish a connection to the IP address \u201c80.241.212.33\u201d, as shown:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The JavaScript file for dec.exe is then downloaded and executed:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once complete, enc.exe starts executing at the back-end and file encryption begins:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The end result of this process is that all user\u2019s file are encrypted with the .spider extension. Below is the ransom message the user sees on their machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After successful infection and encryption, the following files are dropped on the victim\u2019s machine:

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\5p1d3r

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\dec.exe

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\files.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\id.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\run.bat

Below is the entry made in the windows registry during the infection process:

\u201cHKU\\S-1-5-21-1473857359-2239192248-2645835995-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Starter: “C:\\Users\\<user-name>\\AppData\\Roaming\\Spider\\dec.exe startup”

Indicators of Compromise<\/strong><\/p>\n\n\n\n

Original malicious document<\/td>de7b31517d5963aefe70860d83ce83b9<\/td><\/tr>
dec.exe<\/td>fdd465863a4c44aa678554332d20aee3<\/td><\/tr>
enc.exe<\/td>67d5abda3be629b820341d1baad668e3<\/td><\/tr>
CnCs<\/td>\u2022    hxxp:\/\/spiderwjzbmsmu7y[.]onion
\u2022    hxxps:\/\/vid[.]me\/embedded\/CGyDc?autoplay=1&stats=1
\u2022    hxxp:\/\/yourjavascript[.]com\/5118631477\/javascript-dec-2-25-2.js
\u2022    hxxp:\/\/yourjavascript[.]com\/53103201277\/javascript-enc-1-0-9.js 
\u2022    80.241.212.33
\u2022    80.241.212.33<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Mitigation<\/strong>

\u2022    Enable mailing system restrictions by blacklisting files with the extensions .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat

\u2022    Rename the process \u201cvssadmin.exe” so that the ransomware does not destroy volume shadow copies

\u2022    Keep firewalls on and active

\u2022    Perform regular file backups by creating and maintaining different restore points. This will allow you to revert back at any point of time

\u2022    Do not open attachments from suspicious or unknown senders

 <\/p>\n","protected":false},"excerpt":{"rendered":"

After gaining headlines in December last year, File Spider ransomware has returned to ring in the New Year with updated file hashes. As per last year’s campaign, Balkan countries are the primary target with people in Bosnia and Herzegovina, Serbia, and Croatia the main victims.   Spam emails containing macro-enabled malicious Word documents are still […]<\/p>\n","protected":false},"author":1,"featured_media":2829,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2799","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2799"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2799\/revisions"}],"predecessor-version":[{"id":4314,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2799\/revisions\/4314"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2829"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}