News

New BandarChor Ransomware Variant Spreads via Malvertising on Adult Sites

December 16, 2016

Malicious ads displayed on several adult websites and a store selling quadrocopters (drones) are infecting visitors with a new version of the BandarChor ransomware.

Spotted by Proofpoint security researcher Kafeine, the new BandarChor version was confirmed by Bleeping Computer's Lawrence Abrams, and security researcher Malwareforme, who contributed to this report.

BandarChor still going strong after two years
Some of you might recognize BandarChor's name, as it was one of the ransomware variants, together with CTB-Locker, CryptoWall, TorrentLocker, or TeslaCrypt, that are part of the first surge of crypto-lockers that made its presence felt in 2015, and started the unending wave of ransomware we see today.

The first BandarChor ransomware infections were spotted in November 2014, and the first report into the ransomware's activities came from Finnish security firm F-Secure, in March 2015.

By the next year, the number of BandarChor infections went down, but the ransomware didn't die out, being spotted in March 2016 by ReaQta researchers.

New version, but same modus operandi
In spite of the fact it survived on the market more than two years, BandarChor has barely changed its initial mode of operation, still asking infected users to send an email to the ransomware's author(s).

The crook's email address has changed, but that was to be expected. This email address can be found in the ransom note (pictured below) created in all the folders where the ransomware has encrypted files. The name of this ransom note text file is HOW TO DECRYPT.txt and lists This email address is being protected from spambots. You need JavaScript enabled to view it., Shigorin.Vitolid@gmail, and a @DecryptService Telegram address that can be used by victims to contact the devs and get payment instructions.

ransom note                                                                                     BandarChor ransom note

The This email address is being protected from spambots. You need JavaScript enabled to view it. email is also used in the file extension BandarChor adds to encrypted files.

As spotted by both F-Secure in 2015, and again by ReaQta in 2016, the crook(s) behind BandarChor hasn't updated the pattern used for this file extension
BandarChor
For this campaign, when BandarChor encrypts files, it will take a file named test.jpg and rename it as This email address is being protected from spambots. You need JavaScript enabled to view it..

encrypted files                                                                                               Files locked by BandarChor

Like in previous variants, BandarChor relies on a working Internet connection to talk to an online C&C server. This BandarChor variant communicates with the following remote servers:
BandarChor1Malwareforme stated that this variant of BandarChor continues to use the same url structure as previous versions when communicating with the Command & Control servers as shown below.BandarChor2As it appears, this BandarChor variant is yet another minor update to an continuing threat that has managed to survive all these years. This is most likely due to the small number of infections it made, which allowed it to avoid drawing attention from law enforcement agencies.

News Courtesy : https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/