SYMBOLCOMMON_NAMEaka. SYNONYMS
win.globeimposter (Back to overview)

GlobeImposter

aka: Fake Globe
URLhaus      

GlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.
This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.

References
2023-03-08AhnLabASEC
@online{asec:20230308:globeimposter:2a15455, author = {ASEC}, title = {{GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP}}, date = {2023-03-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/48940/}, language = {English}, urldate = {2023-03-20} } GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
GlobeImposter MedusaLocker
2023-02-15SentinelOneJim Walter
@online{walter:20230215:recent:12930ef, author = {Jim Walter}, title = {{Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family}}, date = {2023-02-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/}, language = {English}, urldate = {2023-02-17} } Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family
GlobeImposter
2021-12-28AhnLabASEC Analysis Team
@online{team:20211228:cases:d28b675, author = {ASEC Analysis Team}, title = {{Cases of Lockis ransomware infection}}, date = {2021-12-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/30284/}, language = {Korean}, urldate = {2022-01-05} } Cases of Lockis ransomware infection
GlobeImposter
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2018-08-30360 Total SecurityElley
@online{elley:20180830:globeimposter:ccc8f6f, author = {Elley}, title = {{GlobeImposter which has more than 20 variants, is still wildly growing}}, date = {2018-08-30}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/}, language = {English}, urldate = {2022-02-14} } GlobeImposter which has more than 20 variants, is still wildly growing
GlobeImposter
2018-03-07InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-01-16enSiloAlon Hadar
@online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } GlobeImposter Ransomware
GlobeImposter
2018-01-15AcronisAcronis Security
@online{security:20180115:globeimposter:b5ca4e4, author = {Acronis Security}, title = {{GlobeImposter ransomware: A holiday gift from the Necurs botnet}}, date = {2018-01-15}, organization = {Acronis}, url = {https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet}, language = {English}, urldate = {2020-01-13} } GlobeImposter ransomware: A holiday gift from the Necurs botnet
GlobeImposter
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2018Group-IBGroup-IB
@techreport{groupib:2018:evolution:888e07c, author = {Group-IB}, title = {{The evolution of ransomware and its distribution methods}}, date = {2018}, institution = {Group-IB}, url = {https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf}, language = {English}, urldate = {2021-02-09} } The evolution of ransomware and its distribution methods
GlobeImposter
2017-12-22Bleeping ComputerLawrence Abrams
@online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway
GlobeImposter
2017-08-10PhishLabsAmanda Kline
@online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } Globe Imposter Ransomware Makes a New Run
GlobeImposter
2017-08-05FortinetXiaopeng Zhang
@online{zhang:20170805:analysis:8c21b07, author = {Xiaopeng Zhang}, title = {{Analysis of New GlobeImposter Ransomware Variant}}, date = {2017-08-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant}, language = {English}, urldate = {2019-11-22} } Analysis of New GlobeImposter Ransomware Variant
GlobeImposter
2016-12-23Emsisoft
@online{emsisoft:20161223:emsisoft:0ffcdde, author = {Emsisoft}, title = {{Emsisoft Decryptor for GlobeImposter}}, date = {2016-12-23}, url = {https://www.emsisoft.com/ransomware-decryption-tools/globeimposter}, language = {English}, urldate = {2022-02-14} } Emsisoft Decryptor for GlobeImposter
GlobeImposter
Yara Rules
[TLP:WHITE] win_globeimposter_auto (20230715 | Detects win.globeimposter.)
rule win_globeimposter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.globeimposter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 03c7 50 ff15???????? 85c0 743b 8b7c2410 }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   743b                 | je                  0x3d
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]

        $sequence_1 = { c1e008 33c8 8bc2 c1e808 23c5 }
            // n = 5, score = 700
            //   c1e008               | shl                 eax, 8
            //   33c8                 | xor                 ecx, eax
            //   8bc2                 | mov                 eax, edx
            //   c1e808               | shr                 eax, 8
            //   23c5                 | and                 eax, ebp

        $sequence_2 = { 58 e9???????? 7904 6af6 ebf4 }
            // n = 5, score = 700
            //   58                   | pop                 eax
            //   e9????????           |                     
            //   7904                 | jns                 6
            //   6af6                 | push                -0xa
            //   ebf4                 | jmp                 0xfffffff6

        $sequence_3 = { 33c8 8bc2 334e10 c1e810 23c5 }
            // n = 5, score = 700
            //   33c8                 | xor                 ecx, eax
            //   8bc2                 | mov                 eax, edx
            //   334e10               | xor                 ecx, dword ptr [esi + 0x10]
            //   c1e810               | shr                 eax, 0x10
            //   23c5                 | and                 eax, ebp

        $sequence_4 = { 33d2 0fafc6 2bf8 0fb7c1 c1e710 0bf8 8bc7 }
            // n = 7, score = 700
            //   33d2                 | xor                 edx, edx
            //   0fafc6               | imul                eax, esi
            //   2bf8                 | sub                 edi, eax
            //   0fb7c1               | movzx               eax, cx
            //   c1e710               | shl                 edi, 0x10
            //   0bf8                 | or                  edi, eax
            //   8bc7                 | mov                 eax, edi

        $sequence_5 = { 6ac4 58 eb2f 56 ff750c 8b7510 }
            // n = 6, score = 700
            //   6ac4                 | push                -0x3c
            //   58                   | pop                 eax
            //   eb2f                 | jmp                 0x31
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

        $sequence_6 = { 0f6e7608 0ff4f0 0f6e7e0c 0ff4f8 0fd4ca }
            // n = 5, score = 700
            //   0f6e7608             | movd                mm6, dword ptr [esi + 8]
            //   0ff4f0               | pmuludq             mm6, mm0
            //   0f6e7e0c             | movd                mm7, dword ptr [esi + 0xc]
            //   0ff4f8               | pmuludq             mm7, mm0
            //   0fd4ca               | paddq               mm1, mm2

        $sequence_7 = { 8bef 8bf0 8b06 8d7604 }
            // n = 4, score = 700
            //   8bef                 | mov                 ebp, edi
            //   8bf0                 | mov                 esi, eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d7604               | lea                 esi, [esi + 4]

        $sequence_8 = { 83c0fc 3918 7506 83e804 4f 75f6 }
            // n = 6, score = 700
            //   83c0fc               | add                 eax, -4
            //   3918                 | cmp                 dword ptr [eax], ebx
            //   7506                 | jne                 8
            //   83e804               | sub                 eax, 4
            //   4f                   | dec                 edi
            //   75f6                 | jne                 0xfffffff8

        $sequence_9 = { ff15???????? 85c0 7405 3975fc 7405 6afe 58 }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   7405                 | je                  7
            //   6afe                 | push                -2
            //   58                   | pop                 eax

    condition:
        7 of them and filesize < 327680
}
Download all Yara Rules