Spora Ransomware Dropper Uses HTA to Infect System

This past week, a new Ransomware variant called Spora was spotted in the wild. Currently, Spora only targets Russian-speaking users. What’s interesting about this Ransomware is that its payment site is so well designed, one could think they are running a legitimate business.

The dropper for Spora is basically an HTML application (.hta) that executes VBScript. This obscure file format is often not supported by sandboxes (see Figure 1).

An HTML application is not to be confused with a regular HTML website. The latter runs with minimal privileges. An HTML Application, on the other hand, can access the filesystem and execute arbitrary commands (among other risky things).

Spora Ransomware Dropper
Figure 1 – Spora Ransomware delivered via an HTML application (.hta)

We can see from this code that the HTA file is used to extract something else: a malicious JScript file, which does a bit of deobfuscation and AES decryption to get to the next payload. This second payload ends up dropping an executable file, which is the core of Spora. It also extracts and executes a Docx file, which appears to be corrupted (shown in Figure 2). This is probably done to make the user think the received document is broken (e.g. if Spora was sent via email disguised as a .doc file).

Spora Ransomware - Docx
Figure 2 – Spora executing a corrupted Docx file

This could also be used to stop execution until someone presses “OK” to avoid detection in a sandbox without user emulation. However, Spora does not appear to wait for user interaction, which is something often seen in other malicious files. Either way, our system knows what buttons to press to imitate the actions of a real user shown in Figure 3.

Spora Ransomware Dropper - Process Tree
Figure 3 – Spora Ransomware Process Tree

The process of extraction and execution is visible in a simplified fashion once the analysis is done. We can see in Figure 4, that Spora encrypts files on the system and finally asks for a ransom to restore the files.

Spora Ransomware Dropper - Payment Website
Figure 4 – Spora encrypts files and asks for ransom

Figure 5 illustrates our system detecting the encryption of local files and as a result generates a high VTI score to indicate malicious behavior.

Spora Ransomware VTI Score
Figure 5 – Spora Ransomware VTI Score 85/100

At the time of our analysis, only one Antivirus product found this file to be malicious. Figure 6 shows a 1/55 detection ration on VirusTotal:

Spora Ransomware Dropper - VirusTotal
Figure 6- Spora – VirusTotal Results

Access the Full Analysis Report