Installation

When the victim opens the malicious zip file, it executes an obfuscated Javascript which attempts to download the GlobeImposter payload from a predetermined domain from a list of hardcoded domains. Then GlobeImposter installs itself into the target’s temp directory and configures itself into the system registry as an auto-run item so it will run whenever the compromised machine starts and therefore has the ability to check for newly created files and encrypt them. GlobeImposter checks for a .tmp file in the “%TEMP%” folder called qfjgmfgmkj.tmp, if the .tmp file isn’t found, then GlobeImposter creates three files, qfjgmfgmkj.tmp, hjkhkHUhhjp.bat and how_to_back_files.html. If the .tmp file is found, then GlobeImposter stops the attack and removes itself.

Encryption

Firstly, GlobeImposter scans for all the files in all the compromised machines, before it generates 2048-RSA encryption keys for all the files and pulls a unique ID for the target’s machines from a C&C server. During the generation of the RSA keys, GlobeImposter run the hjkhkHUhhjp.bat script to clear any traces of attack so the RDP default settings, RDP history, shadow copies, and security logs are removed. GlobeImposter also attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”. Then GlobeImposter encrypts the contents of the files and overwrites the original content. The unique ID is appended to encrypted content before GlobeImposter add “..726” to each filename of all the encrypted files. Finally, GlobeImposter runs the .bat script again to clear up any remaining traces of the attack before the ransom note is downloaded to each compromised machine with encrypted files.