Skip to content ↓ | Skip to navigation ↓

A malspam campaign is leveraging malicious Word document macros and .js files to infect Windows users with Sage 2.0 ransomware.

On 20 January, SANS Internet Storm Center handler Brad Duncan looked into a malspam campaign that’s known to drop Cerber ransomware onto victims’ machines. This campaign sends out emails without any subject lines. The only thing they come with is a double-zipped email attachment that contains a recipient’s name in its file name.

Data from a spreadsheet tracking the malspam. (Source: SANS ISC)

Unzipping those attachments twice produces either a .js file or a Microsoft Office document containing malicious macros. Both are designed to infect a recipient with ransomware.

In the event the campaign drops Sage 2.0, the ransomware waits until a user clicks “yes” on a UAC window displayed by the infected Windows host. It then begins to encrypt the computer’s files, appending “.sage” to each affected file’s name before changing the desktop image to its decryption note. This message contains instructions that lead a user to a Tor payment site where they are asked to hand over 2.22188 (2,000 USD) for the decryption key.

The Sage 2.0 decryptor. (Source: SANS ISC)

But Sage 2.0 does more than just encrypt a user’s files. It also generates post-infection callback traffic. As Duncan explains in a blog post:

“When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted.”

The ransomware is a variant of CryLocker, which means it most likely focuses on collecting and transmitting the infected host’s Windows version, user name, type of CPU installed, and Windows bit-type.

UDP traffic caused by Sage 2.0 when callback domains were unavailable. (Source: SANS ISC)

Sage 2.0’s emergence illustrates just how rapidly the ransomware field continues to expand. Given this ongoing trend, it’s important that users work to prevent a ransomware infection by updating their systems regularly, maintaining an anti-virus solution on their computers, avoiding suspicious links and email attachments, and disabling Microsoft Office macros by default. They should also back up their data to be on the safe side.