Sunday, April 15, 2018

This is Spartacus: new ransomware on the block


In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.


Analysis

This instance of Spartacus ransomware has the following properties:

MD5; 25dee2e70c931f3fa832a5b189117ce8
SHA1; a01294ffd541229718948e17f791694efb596123
SHA256; ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3
Compilation timestamp: 2018-01-19 20:36:44
VirusTotal report:
ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3


Figure 1 - Spartacus ransomware message

The message reads:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:
MastersRecovery@protonmail.com and send personal ID KEY:
In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li

The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:

Do not rename encrypted files.
Do not try decrypt your data using party software, it may cause permanent data loss.
Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Spartacus will encrypt files, regardless of extension, in the following folders:

Figure 2 - Target folders to encrypt

Generating the key:


Figure 3 - KeyGenerator

As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.

Encrypted files will get the extension appended as follows:
.[MastersRecovery@protonmail.com].Spartacus 

For example:
 Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus

It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:

All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==

Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:

xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==AQAB

Spartacus will delete Shadow Volume Copies by issuing the following command:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:

Figure 4 - Ransom will stay on top and annoy the user



Repeating, email addresses used are:

MastersRecovery@protonmail.com
MastersRecovery@cock.li

Decryption may be possible if the ransomware is left running, by extracting the key from memory.


Conclusion

Spartacus is again another ransomware family or variant popping up.

Figure 5 - Meme

Make sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other  ransomware.



IOCs

Thursday, April 12, 2018

CryptoWire ransomware not dead


CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:
"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families

I already encountered a CryptoWire variant last year, when it was used to target users in Brazil:
Ransomware, fala sério!

In this blog post, we'll briefly analyse another, recent, CryptoWire sample.

Analysis

This CryptoWire variant has the following properties:


Figure 1 - Typical CryptoWire layout

The message reads:

The only way you can recover your files is to buy a decryption key
The payment method is: Bitcoins. The price is: $1000 = Bitcoins
When you are ready, send a message by email to wlojul@secmail.pro
We will send you our BTC wallet for the transfer
After confirmation we will send you the decryption key
Click on the 'Buy decryption key' button.

CryptoWire will encrypt files with the following extensions (282 total):

3fr, 7z, EPS, M3U, M4A, PEM, PSD, WPS, XLSX, abw, accdb, afsnit, ai, aif, arc, arw, as, asc, asd, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bay, bbb, bdb, bibtex, bkf, bmp, bmp, bpn, btd, bz2, c, cdi, cdr, cer, cert, cfm, cgi, cpio, cpp, cr2, crt, crw, csr, cue, dbf, dcr, dds, dem, der, dmg, dng, doc, docm, docx, dsb, dwg, dxf, dxg, eddx, edoc, eml, emlx, eps, epub, erf, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, himmel, hpp, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpeg, jpf, jpg, jpm, jpx, jsp, jspa, jspx, jst, kdc, key, keynote, kml, kmz, lic, lwp, lzma, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mef, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, mrw, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nef, nes, note, nrg, nri, nrw, odb, odc, odm, odp, ods, odt, ogg, one, orf, ova, ovf, oxps, p12, p2i, p65, p7, p7b, p7c, pages, pct, pdd, pdf, pef, pem, pfx, php, php3, php4, php5, phps, phpx, phpxx, phtm, phtml, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, ptx, pub, pvm, qcn, qcow, qcow2, qt, r3d, ra, raf, rar, raw, rm, rtf, rtf, rw2, rwl, s, sbf, set, skb, slf, sme, smm, snp, spb, sql, sr2, srf, srt, srw, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, til, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, vsdx, wav, wb2, wbk, wbverify, webm, wmb, wpb, wpd, wps, x3f, xdw, xlk, xlr, xls, xlsb, xlsm, xlsx, xz, yuv, zip, zipx

It will also encrypt files, regardless of extension, in certain folders such as Desktop.

Files are encrypted with AES, and prepends extension of encrypted files with ".encrypted.". For example: Tulips.encrypted.png.

CryptoWire will delete Shadow Volume Copies and disable BCDEdit by executing these commands:
vssadmin.exe Delete Shadows /All /Quietbcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailures

It will additionally create a scheduled task for persistence.

You can decrypt files for this specific variant with the following Decryption Key:
VgjRPoOM0oa92_jId!/wkMeW6,guuSe



Conclusion

Some ransomware variants simply do not die, one example of these appears to be CryptoWire. If you have been hit by this particular strain, use the decryption key as instructed above, and your files will be decrypted.

Make sure to read the dedicated page on ransomware prevention to prevent CryptoWire or any other "open-source" ransomware to infect your machine, and encrypt your files.


IOCs

Tuesday, April 10, 2018

Maktub ransomware: possibly rebranded as Iron



In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn more: Maktub Locker – Beautiful And Dangerous

Update - 2018-04-14: Read the conclusion at the end of this post to learn more about how Iron ransomware mimicked at least three different ransomware families.


Analysis

A file was discovered, named ado64 with the following properties:



Maktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes "Maktub Locker" extensively. 


Interestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen and payment portal, when stepping through.


Figure 1 - Lock screen/warning

Email address: recoverfile@mail2tor.com
Bitcoin address: 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj
Ransomware note: !HELP_YOUR_FILES.HTML


Figure 2 - Payment portal

Figure 3 - Hello! (after entering the personal ID)
The text reads:

We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…


Figure 4 - "We are not lying"


Figure 5 - Ransomware cost


Figure 6 - Where to pay


Figure 7- Last but not least: how to buy Bitcoins


In previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option has disappeared. Since the ransomware has rebranded, we'll name it "Iron" or "Iron ransomware", due to the name of the decrypter, IronUnlocker.

 Iron encrypts a whopping total of 374 extensions, these are as follows:

.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp

Iron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and possibly others.

Folders containing the following words are exempt from encryption:

Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild

Interestingly enough, 360sec, 360rec, and 360sand is developed by Qihoo 360, an internet security company based in China, and is an antivirus (360 Total Security is one example).  This, as well as the fact that the Iron ransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese speaker.

The ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It does not remove Shadow Volume Copies or Restore Points.

Iron embeds a public RSA key as follows:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr
l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb
zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=
-----END RSA PUBLIC KEY-----

The Iron ransomware will determine the user's WAN IP and also send a POST request to its C2 server, http://y5mogzal2w25p6bn[.]ml.

Figure 8 - Traffic

It appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice. The following values will be sent to the C2:

  • Encryption key;
  • Randk (seed);
  • GUID (mutex);
  • Start (whether ransom successfully started);
  • Market (unknown).
The C2 server will then respond with another set of values, and generate a unique Bitcoin address, which means that victims may pay twice to different addresses. Rule of thumb: do not pay the ransomware.

Of note is an email address in the response: oldblackjack@outlook.com.

Iron will additionally save certain values, such as the GUID, in HKCU\Software\CryptoA:

Figure 9 - Registry values (click to enhance)

Encrypted files will have the .encry extension appended. It is likely not possible to restore data.


Conclusion

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.

We know the Iron ransomware has mimicked at least three ransomware families:
  • Maktub (payment portal design)
  • DMA Locker (Iron Unlocker, decryption tool)
  • Satan (exclusion list)
From the screenshots above, it is obvious the portal design has been copy pasted from Maktub.

As for copying from DMA Locker, see this tweet:

And, last but not least, it uses the exact same exclusion list (folders and its content that will not be encrypted) from Satan:

Code is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a "side project" by the creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron. Time may be able to tell.

Decryption is impossible without the author's private key, however, it is possible to restore files using Shadow Volume Copies, or alternatively Shadow Explorer. If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva.

Take note of ID ransomware, if a decryptor should ever become available. Additionally, it may identify other families of ransomware if you are ever affected. Another service to take note of in this regard is NoMoreRansom.

For preventing ransomware, have a look here:

In short: create backups!

Questions, comments, feedback or help: leave a comment below or contact me on Twitter.


Indicators:



Sunday, February 25, 2018

Fake Steam Desktop Authenticator steals account details


In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".

Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.

Indeed, there are some fake versions - we'll discuss two of them briefly.


Fake version #1

The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live, and appears at the top of Google Search when searching for "Steam Desktop Authenticator".

Figure 1 - Fake SDA website













When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.

File details:
Name: Steam Desktop Authenticator.exe
MD5 hash: 872abdc5cf5063098c87d30a8fcd8414
File size: 1,4446 KB
Version: v1.0.9.1

Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.



Figure 2 - Sending credentials to steamdesktopauthenticator[.]com

















Figure 3 - Sending credentials to steamdesktop[.]com






















Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains: mark.korolev.1990@bk[.]ru

While I was unable to immediately find a malicious fork with any of these domains, Mark has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.



Fake version #2

This fake version was discovered while attempting to locate Mark's fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.

Figure 4 - Malicious SDA fork (click to enhance)











Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.

Interestingly enough, when digging deeper on this particular domain, which is currently hosted on 91.227.16[.]31, it had hosted other SteamStealer malware before, for example cs-strike[.]ru and csgo-knives[.]net.

The malicious fork has been reported to GitHub.



Disinfection

Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with Malwarebytes for example.

Additionally, de-authorize all other devices by clicking here and select "Deauthorize all other devices".

Now, change your password for Steam, and enable Steam Guard if you have not yet done so.



Prevention

Prevention advise is the usual, extended advise is provided in a previous blog post here.

You may also want to take a look at SteamRep's Safe Trading Practices here.

Always download any software from the original source - this means the vendor's website, or in this case, the official SDA repository on GitHub:
https://github.com/Jessecar96/SteamDesktopAuthenticator



Conclusion

SteamStealer malware is alive and well, as seen from my January blog post. This is again another form of attempting to scam users, and variations will continue to emerge.

Follow the prevention tips above or here to stay safe.


Indicators


Thursday, February 8, 2018

Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides


Last month, when I was in-between jobs, I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.

The event, now obviously expired, can be found here:
CWF Women in Cyber Event #1: Malware Fundamentals

For that purpose, I had created a full workshop: slides or a presentation introducing the concepts of Malware Analysis, Threat Intelligence and Reverse Engineering.

The idea was to convey these topics in a clear and approachable manner, both theory and in practice; for the latter, I had set up a custom VM, with Labs, including my own created applications, some with simple obfuscation.

All participants were very enthusiastic, and I hope to have sparkled most, if not some of them to pursue a career in this field. For this exact same reason, I am now releasing the presentation to the public - the VM and recordings however will not be published, as I created these solely for CWF.

You may however download the LAB material from Github below:
https://github.com/bartblaze/MaTiRe

Without any further ado, you may find the slides below, on either SlideShare or SpeakerDeck:

SlideShare




SpeakerDeck




Any feedback is always appreciated.

I would also like to thank Nathalie for putting me in touch with Rosanna, the organiser of the CyberWayFinder program. And of course, my gratitude to all the attendees for making it so early on that Saturday-morning in Brussels, Belgium.:)

Mind the disclaimer. License: CC Attribution-NonCommercial-NoDerivs License