Update 11/11/2019 – Following an update to the referenced ESET article  on 6 November, we have amended the detection name to Win32/Filecoder.Buran.
As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually high volume, sent to many employees in an organisation; second, they are indiscriminate, relying on opportunistic infections to make money from ransom payments; and third, the distributed malware is designed to suit a wide range of environments and infection vectors, rather than being tailored to a specific network. Any targeting tends to focus on regions that share a common language and the popular online services used there, instead of identifying a small number of lucrative targets. In this post, we examine a malicious spam (malspam) campaign targeting German organisations in early October 2019 that delivered Buran.
Buran is a family of commodity ransomware, compiled with Borland Delphi. It was analysed by ESET researchers in April 2019, who call it Win32/Filecoder.Buran. In May 2019, Buran was discovered being sold in Russian-speaking underground forums. Buran’s developers market the malware to potential operators as a ransomware-as-a-service (RaaS) scheme, taking a 25% cut of any ransom payments in exchange for a “decoder” used to decrypt victims’ files (figure 1). The affiliate scheme has been advertised on several forums by a user called buransupport, most recently on 4 September 2019 (figure 2).
Figure 1 – Translated advert from May 2019 for Buran’s affiliate scheme.
Figure 2 – Translated forum post from 4 September 2019 promoting the affiliate scheme.
Based on the behavior of the malware and how it is sold, it’s clear that Buran is a family of commodity malware that has been developed with no specific target in mind. Buran’s developers say that the malware will not run in any countries of the former Commonwealth of Independent States (CIS), possibly a measure to protect its developers from the ire of local law enforcement. The use of geo-fencing suggests that the malware was developed with the intention of following a RaaS model, relying on potentially less trusted affiliates to distribute the ransomware.
Buran performs several anti-forensic measures such as clearing Windows Event logs and disabling the Windows Event Log service. These are designed to make any post-infection investigation more difficult. However, these actions are noisy and easily detectable by network defenders, so each measure should be weighed up for its benefit of deleting evidence against the cost of early detection. Since commodity malware must support different infection vectors and environments, they often contain a range of anti-forensic measures, not all of which will be relevant to an environment where the malware is deployed. For instance, Buran also deletes Remote Desktop Protocol (RDP) connection logs from the victim’s system. In the context of this campaign, this measure is unnecessary because the initial access vector was by phishing, not RDP.
Public reporting suggests that Buran malspam campaigns began on 13 September 2019. This is corroborated by metadata found in the emails and Microsoft Word documents. Previously in June 2019, Buran was observed being distributed through the Rig exploit kit. The campaign on 1 October 2019 spoofed the eFax brand, a legitimate online fax service. German organisations were targeted using an eFax lure consisting of an email and Word document that were translated into German. The ransom note was also translated into German and the email addresses used to contact the attacker contained the German word for data (“daten”).
Figure 3 – Buran’s German ransom note.
The emails contain hyperlinks to a PHP page that serves Word documents used to download the Buran payload. Using hyperlinks instead of attachments means that the emails are less likely to be blocked by malware scanners at the email gateway. The domains used in the October campaign were registered on 27 September 2019, meaning that the websites were not associated with any prior malicious activity that would cause web proxies to block access to them. The domains were typosquats of the legitimate eFax website using the .site top-level domain (TLD), however, Buran malspam activity from September 2019 also shows that the .xyz TLD has been used (figure 4).