Teacher

Employer21: Targeting Teachers with Ransomware Disguised as Class Assignments

Proofpoint researchers have recently observed a highly customized and narrowly targeted campaign sent to recipients in the Education industry. The messages pose as a parent or guardian submitting an assignment on a student’s behalf, claiming that the student has encountered technical issues when trying to submit the assignment themselves. Masquerading as the assignment is an attached malicious document that leads to download of a custom ransomware payload. These messages seek to take advantage of widespread technology issues facing students, their families, and educators. 

Delivery 

On October 1 and 2, 2020 Proofpoint researchers observed a narrowly targeted email campaign with subjects such as “Son's Assignment Upload”, “Assignment Upload Failure for [Name]” or “[Name]'s Assignment Upload Failed”. The emails attempted to deliver a zipped document such as "steph-assignment.docx" inside a zip file "steph-assignment.zip ". This campaign attempted to lure in victims with a plea from a parent to a teacher to accept an assignment submission over email, because the child failed to submit it the “usual way”. The targets of this campaign were individual teachers, their email addresses likely pulled from public pages of a school website. 

Email Sample

Figure 1: Email sample 

Document Analysis 

The malicious document appears to be custom created by the actor. It uses external relationships (Remote Template injection) to download another malicious macro-laden document. When macros are enabled by the user, the malware executables are then downloaded. The executables are hosted on notabug.org, a free code hosting service that we have not previously observed abused in this way. Additionally, the macro abuses a free web bug service, Canarytokens, that notifies the attacker via email or SMS whether the downloaded executable is started successfully or not, by creating a network connection to one of two Canarytoken URLs. 

Document Lure

Figure 2: Document lure is a generic request to enable editing and then to enable macros 

Snippet of code

Figure 3: Snippet of code from the macro that shows the code responsible for downloading one of the two malware executables from notabug.org, as well as code that creates network connections to the web bug URLs hosted on canarytokens.com 

Payload Analysis: “cryptme” Ransomware 

While we did not perform deep analysis on this malware, it appears to be a custom and relatively simplistic ransomware written in the Go programming language. The document macro downloads two executables and saves them as “ctool.exe” and “etool.exe”. One of the executables is a wrapper for starting the other. The ransomware encrypts files and adds “.encrypted” as an extension. 

Strings left in the malware, specifically the user directory string “/home/yakubets/DEVIANO/windows/cryptme.go”, point to a potential internal malware name being “cryptme”. The ransomware also contains strings that reference burning. Specifically, one of the function names is “main.burner” and a string “HE IS BURNING TO DEATH, CALL AN AMBULANCE!” also caught our attention.  

Ransome Note

Figure 4: Ransom note file is placed on the Desktop inside file “About_Your_Files.txt”

Dialog

Figure 5: A dialog that appears after running one of the malware executables. Here the actor refers to themselves as “employer21”, hence we called this campaign “employer21”  

Note: We did not see any payments posted to the Bitcoin address from the ransom note. 

Conclusion 

Students and school systems have faced unique problems in 2020, and these messages take advantage of widespread technological difficulties accompanying online learning. The messages are well crafted with a clear understanding of what would appeal to recipients, though as of this writing, Proofpoint researchers have not observed any payments posted to the ransom note Bitcoin address. While this campaign was very small, it’s possible that this and other actors will continue using themes of technology issues and online learning to lend legitimacy and urgency to their lures. 

Indicators of Compromise (IOCs) 

IOC 

IOC Type 

Description 

6e9094fb4c9c24ca08435013e6ffa3bce6bb46c88d33136876e70f8b844578ad 

SHA256 

Document “steph-assignment.docx” 

hxxps[:]//notabug[.]org/Microsoft-Templates/Template/raw/master/template1.dotm 

URL 

External relationship URL in steph-assignment.docx 

225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4 

SHA256 

Macro document template1.dotm downloaded by external relationship 

hxxps[:]//notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe 

URL 

Malware executable downloaded by macro document 

hxxps[:]//notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe 

URL 

Malware executable downloaded by macro document 

 

34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5 

SHA256 

Alderson.exe SHA256 

e3420497b54be31b45ba2c344806a26f1d2f28ea388623984341bf585cb78391 

SHA256 

Irving.exe SHA256 

Subscribe to the Proofpoint Blog