Cryptolockers are no big news these days as they are very common and discussed on security Blogs, conferences and by law enforcement. Well, we were able to catch a new family that is currently not very common in the "scene", so this is why I feature a blog post on a very special cryptolocker that I have observed and analyzed during the last days.
In a short sum up this piece of malware is not written in C, nor is it a Powershell Script or VBS. It was crafted very simple and tight as a well crafted collection of open source and Windows’ build in console tools; combined wickedly nasty in a more or less simple command line batch script. So what your malware scanner sees is, a bunch of well known command line applications and simple (but obfuscated) batch scripts. In general not very suspicious if you have a quick look on them.
The cryptolocker itself was served as a single exe file that turned out to be a SFX (self extracting executable) WinRAR archive. We catched the file claiming to be some Hollywood Blockbuster movie streaming file with the extension ".Streaming.mpg.exe". The SFX was compiled with the latest version of WinRAR (US version), used a custom, but well designed icon file for curiosity reasons I assume. The SFX silently extracts the archive into the %temp% folder and starts up a batch script afterwards. The stage 1 batch script starts a primitive .vbs file that runs another batch script in a hidden cmd.exe console. I assume that this steps are performed just to avoid getting discovered by the ordinary user. The script also pauses several times and performs some bogus operations on the hidden cmd.exe shell to trick heuristic scanners, and, to fool analysis environments that do not spend too much time on given samples. It also calls Sysinternal's sdelete to clean up the user's folders' free space just to spend some more time doing nothing suspicious at the beginning. The tool sdelete will become a "key feature" later, so keep it in mind.
At the end you will be prompted with a fake error message claiming that a required "streaming codec" is missing. Thus, no FREE "Hollywood Blockbuster" streamed. Well, as I often recommend to friends and customers: Keep your ass away from these sharing sites. License music, pay for watching movies, and buy original software. Anyway, lets move on.
If you see this message it is almost too late. The stage 2 batch script has already called openssl to generate a 2048-bits RSA .x509 certificate. The certificate's subject is interesting:
After generating the certificate the batch script has opened up TOR and submitted the private key to a hidden service into the TOR network (.onion addresses are hard coded into the batch file) by using wget to post the data as a base64 data stream. Again, encoding was done entirely using openssl. Establishing a connection to the TOR network usually takes some time, so this seems to be a clever idea to bump out heuristic and analysis tools, that will not wait for too long. By the way, the user-agent specified for wget can be used to easily identify this kind of threat, because of its odd version of Google Chrome (42.0.1337.007):
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.1337.007 Safari/537.36"
If the hidden service has received the private key it returns a strange reply message "lockMeDownScotty" telling the batch script to continue, and to encrypt all personal files (amongst others these are .jpg, .doc, .xls, .pdf, .txt, .mp3, .raw, ...) on the user’s hard disk, especially in the user’s profile folders. Encrypted files will have the very fitting extension .cryptoLocked, well together with the "lockMeDownScotty", the user-agent and .x509 certificate it seems that these guys shall also think about a career as clowns ?.
To encrypt the files, the cryptolocker simply uses openssl and securely deletes the original unencrypted files using Sysinternal's sdelete. The secret key and other temp files created by the cryptolocker are all securely deleted using sdelete. So there is little chance to recover any of these afterwards. I tried on my forensics machines but never got a hit. The malware also tries to delete system backups and well known backup files (e.g. .bak, .old, .img, etc. files). If you are not running your system with admin rights all the time, there is a good chance that the attempt to delete the system backups will fail and you are able to recover.
The cryptolocker also tries to get persistent in the registry (using reg.exe) to ensure it is executed every time the user boots up and logs in (typical HKCU\Software\Microsoft\Windows\CurrentVersion\Run\). Although everything is performed in a pure batch file, the malware is clever enough to only generate a single 2048-bit key per user. It also contains a loop that tries to encrypt newly written files once in 30 minutes. After each round of encryption, the user gets prompted with a typical ransom message provided in form of a simple jpg file (see screenshot above) started with the default image viewer and a text (.txt) file opened with Notepad. Nothing special here, it is presented in the same fashion as we all know from other ransom- and cryptolockers. What you see are well known instructions on what to do and how much to pay. One remarkable thing is, that if you pay using bitcoins you only have to pay 0.5 bitcoins whereas if you decide to pay "cash" by using gift cards, it is fairly more: $500.
It is also very interesting that the crooks use TOR to its extends. Not only that they upload the private key using TOR, they also only provide a link to an .onion address to get in touch with them. Most ransomware I have seen so far at least provide an ordinary web link that can be accessed without using TOR and that is hosted by one of the well known bullet-proof hosters or a #pwned server or site.
It seems that their hidden service is not available all the time, I have tried it several times and it was online only a few hours a day. I suppose that it is operated from a private online connection or it moves from one infected machine to another. Currently we are also not sure if this was and is some kind of test balloon, and the crooks prepare a larger attack. The hash of the initial executable is unknown to recent online malware analysis systems. We keep on track and will follow up, if there are any news.
Instead of using WinRAR I assume that other packers can and are used, so you should watch out for packed executables containing at least these files:
with some additional .cmd/.bat files and two or three tiny (2-4 lines of code) .vbs scripts. Since the SFX's hash value can be changed easily it does not make sense to provide it here. We also assume that the scripts may change, so what you shall look for is, the combination of the listed executables above and some scripts in the same package.
Since you have to start an initial executable we think the most obvious action to avoid this threat is: Do not start unknown executables, avoid getting tricked by e-mail attachments claiming to be an invoice pdf, tracking code, legal warning etc. Again, do not try to get things for free that normally cost money. From the Exploitbutser framework we have observed that most executables submitted are serial number generators, cracking tools, and alleged full versions of commercial software. So do not wonder if you are getting hit, if you download and execute the latter mentioned illegal stuff.
Personally I think that this is not the end of the story, and we will see more malware in the same fashion coming up soon. Using command line tools in combination with simple scripting is not new, but in this special case somehow a clever idea to get evil things done without implementing stuff from scratch. I think that not so skilled "would be" hackers seem to be able to build quite potent malware without in depth knowledge and coding skills. For example securing communication and using (hidden) servers in the TOR network, using openssl as a strong crypto library looks like that some of them are going this way. Even if such crooks do not understand what they do, building their malware upon such tools and libraries makes this scrap more resistant and secure - unfortunately.