Threat Research

SAP Ariba Quote Isn’t What It Seems—It’s Ransomware

Cofense
SAP Ariba Quote Isn’t What It Seems—It’s Ransomware

Cofense PDC uncovered a LeeMe ransomware campaign using compromised sender accounts, SAP Ariba-themed lures, password-protected GoFile downloads, a fake installation GUI, AES-256 encryption, and built-in exfiltration (keylogger/credential theft) to extort victims. Artifacts include specific executable and Python script hashes, GoFile/Telegram endpoints, and a Bitcoin ransom wallet; #LeeMe #SAP_Ariba

Keypoints

  • Campaign uses compromised email accounts and SAP Ariba-themed lures with password-protected archives to evade detection and increase user trust.
  • Delivery hosts files on GoFile (e.g., SAP_Ariba_QuoteBuilder_v2.zip) with instructions encouraging disabling Windows real-time protection.
  • Fake installation GUI (SAP-branded) runs while ransomware encrypts files using AES-256 and randomized file extensions targeting many common document/media types.
  • LeeMe includes a keylogger (pynput) and credential/file exfiltration that zips and uploads data to GoFile or sends it via Telegram.
  • Additional capabilities: persistence (autorun, scheduled tasks), Defender bypass, task/process protection, self-copying, SSH/WinRM setup for remote access, and anti-forensics.
  • Ransom demand is relatively low (0.46900 BTC / ~$105,000) suggesting broad targeting; Bitcoin wallet activity can be tracked for payments.
  • IOCs provided include filenames, MD5/SHA256 hashes, GoFile download URL, Telegram API endpoint, and IP addresses for detection and hunting.

MITRE Techniques

  • [T1566] Phishing – Email lure impersonating SAP Ariba with an embedded link to a password-protected archive to deliver the malware (“…New SAP Ariba tool…archive download for the tool, which needs to be decrypted via a password given in the email body.”)
  • [T1204] User Execution – Victim instructed to run an executable after extracting the archive and follow instructions that may disable protections (“…instructions walk the victim through how to run the executable…explain to the user how to disable Windows real-time threat detection…”)
  • [T1105] Ingress Tool Transfer – Malware delivered via GoFile file-sharing download (“…user is taken to a GoFile download page… ‘SAP_Ariba_QuoteBuilder_v2.zip’ file ready for download.”)
  • [T1490] Impact (Encrypt Files) – AES-256 encryption routine targeted many file types to render them unusable (“…lock_screen_crypto.py…searches by file extension across all available drives…lock the files found using an AES-256 encryption method.”)
  • [T1056] Input Capture (Keylogging) – Uses pynput keyboard listener to capture keystrokes on triggers for sensitive input (“…uses the pynput library and creates a keyboard listener…triggered when the user types something from a list of ‘SENSITIVE_TRIGGERS’”)
  • [T1030] Data Transfer Size Limits / Exfiltration – Scans for sensitive files/keywords, zips them and uploads to GoFile or sends via Telegram (“…files are zipped and are uploaded to Gofile or sent to the threat actor via Telegram.”)
  • [T1543] Create or Modify System Process (Persistence) – Creates autorun entries and scheduled tasks for persistence (“Create autorun entries and scheduled tasks for persistence”)
  • [T1562] Impair Defenses – Bypasses Windows Defender and blocks Task Manager to prevent detection/termination (“Bypass Windows Defender and blocks Task Manager”)
  • [T1106] Native API – Creates copies with random names under system folders and prevents deletion/termination (described as self-copying and preventing malware file deletion and process termination)
  • [T1218] System Binary Proxy Execution – Sets up SSH and WINRM servers for remote access capability (“Setup an SSH and WINRM server for remote access capability”)

Indicators of Compromise

  • [File Name / Hashes] Ransomware executables and Python scripts – SAP_Ariba_QuoteBuilder_v2.exe (MD5: 5661bf7b82b2e14941756ac46f18cda0, SHA256: 73b4143d…), lock_screen.py (MD5: a77139ae6eaea697135c38627fcb8d16, SHA256: be1f87f0…), and other script hashes (and 6 more hashes).
  • [Domain / URL] Delivery and exfiltration endpoints – hxxps://gofile[.]io/d/HeFOIx and hxxps://api[.]telegram[.]org/bot7912337443:AAFV0_Ew…/sendMessage (used for download and data/command messaging).
  • [IP Addresses] Hosting and infrastructure – 149[.]154[.]167[.]220 (GoFile download), 160[.]202[.]167[.]55 (Telegram-related endpoint).
  • [File Names] Archive and dropped files – SAP_Ariba_QuoteBuilder_v2.zip / SAP_Ariba_QuoteBuilder_v2.exe; multiple lock_screen_*.py files (used for UI, crypto, anti-forensics, exfiltrator).

Read more: https://cofense.com/blog/this-sap-ariba-quote-isn-t-what-it-seems-it-s-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint