Spora Ransomware Dropper Uses HTA to Infect System

Jan 17th 2017

This past week, a new Ransomware variant called Spora was spotted in the wild. Currently, Spora only targets Russian-speaking users. What’s interesting about this Ransomware is that its payment site is so well designed, one could think they are running a legitimate business.
The dropper for Spora is basically an HTML application (.hta) that executes VBScript. This obscure file format is often not supported by sandboxes (see Figure 1).

An HTML application is not to be confused with a regular HTML website. The latter runs with minimal privileges. An HTML Application, on the other hand, can access the filesystem and execute arbitrary commands (among other risky things).

We can see from this code that the HTA file is used to extract something else: a malicious JScript file, which does a bit of deobfuscation and AES decryption to get to the next payload. This second payload ends up dropping an executable file, which is the core of Spora. It also extracts and executes a Docx file, which appears to be corrupted (shown in Figure 2). This is probably done to make the user think the received document is broken (e.g. if Spora was sent via email disguised as a .doc file).

This could also be used to stop execution until someone presses “OK” to avoid detection in a sandbox without user emulation. However, Spora does not appear to wait for user interaction, which is something often seen in other malicious files. Either way, our system knows what buttons to press to imitate the actions of a real user shown in Figure 3.

The process of extraction and execution is visible in a simplified fashion once the analysis is done. We can see in Figure 4, that Spora encrypts files on the system and finally asks for a ransom to restore the files.

Figure 5 illustrates our system detecting the encryption of local files and as a result generates a high VTI score to indicate malicious behavior.

At the time of our analysis, only one Antivirus product found this file to be malicious. Figure 6 shows a 1/55 detection ration on VirusTotal: