The Newest Malware- Beware!

Share This/Follow Us:
LinkedIn77
Instagram23
Email
RSS

Cyber attackers have gone back to the basics with the release of a new strain of ransomware malware that locks up compromised devices without encrypting files.

Now they just lock up your business’ devices and hope you pay. Securolytics partner Cyphort Labs discovered the threat- here is what you need to know.

On March 9 2016, Cyphort Labs discovered an infection on a site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.

Chain and RIG EK landing

 The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is  a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea of the specific name/family of the malware.

  • ItsMeFA

  • “version_fa”

  • fa 155

It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used.  The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.

torrc file contents

 

After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3″ and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe

This file is actually an executable file masquerading as a mp3. When started, it spawns the following process:

  • C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

And as the usual tor execution process, the following files are created.

 

As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.

Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility to analyze the memory image.

Using Volatility to Find the Malware

We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.

 

To confirm this, we list visible windows using the “wintree” command  to identify which process is responsible for the lock screen and we identified the same sd_app.exe.

 

Next, we identified the full path of the file using the process id and ‘cmdline‘ command

 

We dumped the disk and found the following list of files added.

The .bat  disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.

contents of 1.bat

 

 

In-the-Wild Samples

Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine.

 

The variants of sd_app are also signed but 2 of the files still have no detection.

We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:

  • WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.

 

Conclusion

It’s been awhile since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs”  so it was not effective for monetization. However, this new discovery is an advancement of random locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters.

Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.

 

 

Share This/Follow Us:
LinkedIn77
Instagram23
Email
RSS

Leave a Reply

Your email address will not be published. Required fields are marked *