Cyber attackers have gone back to the basics with the release of a new strain of ransomware malware that locks up compromised devices without encrypting files.
Now they just lock up your business’ devices and hope you pay. Securolytics partner Cyphort Labs discovered the threat- here is what you need to know.
On March 9 2016, Cyphort Labs discovered an infection on a site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.
Chain and RIG EK landing
The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea of the specific name/family of the malware.
It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used. The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.
torrc file contents
After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3″ and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe
This file is actually an executable file masquerading as a mp3. When started, it spawns the following process:
C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc
And as the usual tor execution process, the following files are created.
As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.
Using Volatility to Find the Malware
We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.
To confirm this, we list visible windows using the “wintree” command to identify which process is responsible for the lock screen and we identified the same sd_app.exe.
Next, we identified the full path of the file using the process id and ‘cmdline‘ command
We dumped the disk and found the following list of files added.
The .bat disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.
contents of 1.bat
Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine.
The variants of sd_app are also signed but 2 of the files still have no detection.
We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:
WIN32-VS-x32-RELEASE-Feb 1 2016-15:33:48 v.0.01a-154d
The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.
It’s been awhile since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs” so it was not effective for monetization. However, this new discovery is an advancement of random locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a s due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters.
Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.