Hermes Ransomware Distributed Through Malicious Office Documents Embedded Flash Exploit

After the public announcement of flash vulnerability CVE-2018-4878 massive malspam campaigns pumped up with malicious word documents that contain flash exploit and deliver Hermes ransomware.

With this campaign, attackers distributed Hermes ransomware through malicious Office documents embedded with the flash exploit and attacks targetted on South Korean users.

Security researchers from Malwarebytes spotted the campaign and according to their analysis, the first attacks have happened through a compromised Korean website.

Hermes Ransomware Analysis

Unlike other ransomware Hermes ransomware is not stealthy, once ransomware enters into the system it copies itself to the temp folder %TEMP% in name svchosta.exe and it delete’s the initial sample.

Malware Author’s forces the users into accepting the batch script by deploying it in a continuous loop. The batch script looks for the possible backup’s in the system, even if the batch script not executed the main module continues with encryption.

Before starting the encryption process it checks whether the file is already encrypted or not by checking the “HERMES” marker in the file and each file is encrypted with a new key.

Also Read Hacking vs Spying: How puzzling it is to Find the Hackers in Cyber World

Files encrypted via RSA public key and once encryption completed ransom note pops up. Like other ransomware, it used symmetric algorithm AES to encrypt files and RSA to protect AES key. Malwarebytes published an analysis report.

Researchers said “Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. Below, you can see a visualization of a BMP file before and after being encrypted by Hermes”.

Attackers targetted the following File extensions

tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm
 jpg jpe jpeg bmp db eql sql adp mdf frm mdb odb odm odp ods dbc frx db2 dbs
 pds pdt pdf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds 
rib ma max lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs adn a3d
 aft ahd alf ask awdb azz bdb bib bnd bok btr bak cdb ckp clkw cma crd dad daf
 db3 dbk dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl
 eco ecx edb emd fcd fic fid fil fm5 fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi 
hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m myd ndf 
ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm 
pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt 
te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt 
pptx abw act aim ans apt asc ase aty awp awt aww bad bbs bdp bdr bean bna 
boc btd cnm crwl cyi dca dgs diz dne docz dot dotm dotx dsv dvi dx eio eit 
emlx epp err etf etx euc faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft 
flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz 
idx iil ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc 
lst ltr ltx lue luf lwp lyt lyx man map mbox me mell min mnt msg mwp nfo 
njx now nzb ocr odo odt ofl oft ort ott p7s pfs pfx pjt prt psw pu pvj pvm 
pwi pwr qdl rad rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf sam scc 
scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa stw sty sub sxg sxw 
tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof uot upd utf8 
utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw 
wri wsc wsd wsh wtx xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw abm afx agif 
agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 
cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr 
dds dgt dib djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax 
fpos fpx g3 gcdp gfb gfie ggr gif gih gim spr scad gpd gro grob hdp hdr hpi 
i3d icn icon icpr iiq info ipx itc2 iwi j j2c j2k jas jb2 jbig jbmp jbr jfif 
jia jng jp2 jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef 
mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy 
cdmm cdmt cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp 
drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv 
ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpgl hpl idea igt igx imd ink lmk 
mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfv pl plt vrml pobj psid 
rdl scv sk1 sk2 ssk stn svf svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm 
stm vstx wpg vsm xar yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 
pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg 
pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg 
ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sci 
sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn 
t2b tb0 tbn tfc tg4 thm tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd 
wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw ddoc css pptm 
raw cpt pcx pdn png psd tga tiff tif xpm ps sai wmf ani flc fb3 fli mng smil 
svg mobi swf html csv xhtm dat

The attack vector targetted only down to South Korea, but Hermes is a fully functional malware and real motivation of attackers is not identified.