New Spora Ransomware Variant Bypasses Security Scanners

A ransomware strain known as Spora that first appeared in January has returned with a new technique designed to bypass antivirus scanners and email filters, researchers have warned.

The malware arrives as an HTA (HTML Application) file attached to an email message and which appears to be an invoice or a notification of payment.

Concealed HTA file

The file arrives inside a ZIP archive, and when launched it runs an embedded JavaScript file, Sophos said in an advisory.

Scanning tools are capable of detecting malware hidden inside ZIP archives, but a new version of Spora further disguises the HTA file by making it appear to filters as a PDF document.

Spora’s ransom note

The file has an .hta extension, but scanners typically ignore file extensions, instead examining the bytes contained in the file.

The new version of Spora contains initial bytes making it appear to be a PDF, with the HTA file appended on at the end, Sophos said.

HTA files can be dangerous because they run in Windows as web pages that aren’t subject to the usual security restrictions.

“Since the HTA script is tacked on at the end of a file otherwise created to look like a PDF, the chances of the ransomware getting through are greater,” Sophos said in its advisory.

Network infection

To further confuse users, the document’s filename ends in _pdf, along with the .hta extension. Since Windows hides file extensions by default, users might at first glance think the document is a PDF.

Once launched, the malware encrypts the files held on the system and displays a ransom message, as well as manipulating the system’s Program Files directory to spread the malware to other users on the same network.

When users browse to an infected shared system they, too, will find their computers hit by Spora, Sophos said.

Before paying the ransom users are required to upload one of their encrypted files, which seems to be a way of creating a unique account for each target.

Spora’s payment page

The malware’s creators operate a public chat server victims can use to pose questions to the perpetrators, Sophos said.

‘Immunity’ fee

They allow targets to pay an “immunity” fee to stop them from being hit by Spora again, as well as an additional fee for recovering their files.

So far the latest variant has only targeted Russian-speaking organisations, but Sophos said if it proves successful the technique could be deployed more broadly.

The firm recommended administrators configure their Windows systems to display file extensions and to consider using an on-access antivirus scanner, which monitors continuously for malicious files.

Stricter email gateway settings might also help defeat tricks such as that employed by the latest Spora variant, Sophos said.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

11 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

13 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

14 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

15 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

18 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

19 hours ago