Tag Archives: analysis

Weather Forecast for Today? Advert Flood Coming from East

Despite blocking efforts, online advertising is a daily part of our lives. Most of us get used to the large volume of adverts displayed daily, but authors of malicious code are trying to push the limits much further nowadays via advert-injection techniques used in malware threats.

Spreading

In this post, we present a case study of one such malware that we detected via our AVG Identity Protection (IDP) component. Based on our telemetry, this infection is highly active and it is reaching its maximal peak. The most affected countries are the United States and Germany, followed by Saudi Arabia and the United Arab Emirates.

Countries most affected by spreading of this adverts-injection campaign (Jun-Sep 2015).

Behaviour of This Threat

The user infection starts while installing an application proclaimed by its authors as a “Weather Forecast Application”. However, once installed, this application silently downloads and installs other components that are purely malicious – this threat tries to infect all installed browsers and inject additional adverts in browser pages. It also periodically loads sets of adverts in the background without user notification. As a side-effect, it sacrifices security and performance of the infected systems for the purpose of making money via ad providers.

Injecting adverts in visited pages.

Flood of pop-up windows.

Detailed Analysis

Details about this threat are described in the following technical analysis.

You can also download the report now.

Stay Safe

AVG customers are protected against this threat via our multi-level protection in AVG Internet Security. If you’re not protected, you might want to check your systems using the indicators of compromise (IOC) listed in the aforementioned technical analysis.

Banking Trojan Vawtrak: Harvesting Passwords Worldwide

Over the last few months, AVG has tracked the rapid spread of a banking Trojan known as Vawtrak (aka Neverquest or Snifula).

Once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials.

While Vawtrak Trojans are not new, this particular sample is of great interest.

 

How and where is it spreading?

The Vawtrak Trojkan spreads in three main ways:

  • Drive-by download – in the form of spam email attachments or links to compromised sites
  • Malware downloader – such as Zemot or Chaintor
  • Exploit kit – such as Angler

Based on our statistics, the Czech Republic, USA, UK, and Germany are the most affected countries by the Vawtrak campaigns this year.

Countries most affected by the spreading of Vawtrak in Q1 2015.

 

What are the features of this Vawtrak?

This Vawtrak sample is remarkable for the high number of functions that it can execute on a victim’s machine. These include:

  • Theft of multiple types of passwords used by user online or stored on a local machine;
  • Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
  • Surveillance of the user (key logging, taking screenshots, capturing video);
  • Creating a remote access to a user’s machine (VNC, SOCKS);
  • Automatic updating.

Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.

Moreover, the communication with the remote server is done over SSL, which adds further encryption.

This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside.

 

Detailed analysis

Our complete analysis of this malware is too long to publish in full on this blog so we have prepared a detailed white paper that describes this infection, its internals and functions in detail.

 

You can also download the report here

 

Stay Safe

While this Vawtrak Trojan is very flexible in functionality, it’s coding is mostly basic and can be defended against. At AVG, we protect our users from Vawtrak in several ways:

  • AVG LinkScanner and Online Shield provide real-time scanning of clicked links and web pages containing malicious code.
  • AVG Antivirus for generic detection of malicious files and regular scans.
  • AVG Identity Protection, that uses a behavioral-based detection, will detect even the latest versions of such infections.
  • AVG Firewall prevents any unsolicited network traffic, such as communication with a C&C server.

South Korea hit with banking malware using VPN connection

South Korean banks have been attacked by hackers again!

This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.

The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses.  Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!

XP Debugging2

The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.

hosts

As you can see in the figure above (shortened screenshot of hosts file), the malware redirects many websites of South Korean banks to the IP address 10.0.0.7. If you try to enter this address into your web browser, you probably won’t get any response, because this is the private IP address. The other websites which belong to South Korean search engines, like Naver, are redirected to the publicly accessible IP address. When visiting any of these search engines on the infected machine, the following banner is displayed on the top of the regular website.

popThe image says:

Do you have a security software or program in your PC or Do you have a security card? Due to hacking incidents and potential of compromising users’ information if you want to use internet banking you need to do identification procedure.

We found one very interesting technical detail about the malware behavior – it uses a VPN connection! When a user clicks on one of the bank’s logos below, he is connected to a VPN and the fake banking website is displayed. At first, the malware connects to the C&C server and obtains configuration by GET request on 69.30.240.106/index.txt. The C&C answer includes a link to an executable modifying the hosts file and VPN server IP address.

900
test.exe
vpn=204.12.226.98

The executable is responsible for properly rewriting %windows%system32driversetchost file, which is queried for address translation before querying DNS on Windows machines. For example, if you want to go to www.naver.com the system first accesses the host file, and if there is a match it uses the specified IP address (104.203.169.221) for that site which differs from the original DNS records – 202.131.30.12 for our geographical location.

The malware targets Korean bank customers who access the following bank websites:

www.nonghyup.com, nonghyup.com, banking.nonghyup.com, www.nonghyup.co.kr, nonghyup.co.kr, banking.nonghyup.co.kr, www.shinhan.com, shinhan.com, www.shinhanbank.com, shinhanbank.com, www.shinhanbank.co.kr, shinhanbank.co.kr, banking.shinhanbank.com, banking.shinhan.com, banking.shinhanbank.co.kr, www.hanabank.com, hanabank.com, www.hanabank.co.kr, hanabank.co.kr, www.wooribank.com, wooribank.com, www.wooribank.kr, wooribank.kr, www.wooribank.co.kr, wooribank.co.kr, www.kbstar.com, kbstar.com, www.kbstar.co.kr, kbstar.co.kr, www.keb.co.kr, keb.co.kr, ebank.keb.co.kr, online.keb.co.kr, www.ibk.co.kr, ibk.co.kr, www.ibk.kr, ibk.kr, mybank.ibk.co.kr, banking.ibk.co.kr, www.kfcc.co.kr, kfcc.co.kr, www.kfcc.com, kfcc.com, www.epostbank.co.kr, epostbank.co.kr, www.epost.kr, epost.kr, www.epostbank.kr, epostbank.kr

The bank domain names are translated into a private network address range (10.0.0.7) and the search engines are translated to webserver running IIS. Webserver runs a Chinese version of IIS, as shown from the error message displayed when supplying incorrect header information.

iis
The malware, however, is not connected to the VPN all the time. The malware searches for the active Internet Explorer windows and if found, depending on Internet Explorer version, it locates browser’s address bar and extracts the currently entered url address. If URL belonging to any of the banks is found, VPN connection is established.

At first, malware drops a file %USERPROFILE%profiles.pbk, which includes the basic configuration. The credentials for VPN (name and password) are hard coded in the binary. The connection is made with help of Windows RAS API interface.

rasdial

If we want to verify the VPN connection in Windows, we can simply locate the dropped PBK file and double click on it. In properties, we will choose “Prompt for name and passwords, certificate, etc.” We enter the username and password, which we previously extracted from the malicious binary. After pressing the “Connect” button, we are connected to the VPN, and if hosts file is properly modified, we can access the fake bank websites. After pressing “Hang Up”, we can disconnect from VPN.

pbk01

pbk02

pbk03

pbk04

 

After a successful connection, “ipconfig /all” command lists PPP connection to VPN, with the current machine’s assigned private IP address. At this moment, the infected machine is connected into the private network and it can access contents hosted on 10.0.0.7.

vpn

Example of visiting bank’s website on a compromised computer

When a customer visits nate, daum or naver on an infected machine, he is presented with the following banner.
XP Debugging1

After clicking on the logo of a bank, the customer is presented with the following modified website (the example below was taken for epostbank.kr, however this attack works the same way for the other banks). If the customer clicks on any link on the fake bank website, he is presented with an error message. The message says that the additional security measures are available. After clicking OK, the fake verification process starts.
epostbank_errormsg
The customer is asked to fill in some personal details.
epostbank01
Then he is asked for a phone number and numbers in his security card.
epostbank02
Lastly, he is presented with a link to download a malicious Android application. At the writing of this blog post, the link to the malicious Android app is not working anymore.
epostbank03

SHAs:

Original dropper

1C22460BAFDDBFDC5521DC1838E2B0719E34F258C2860282CD48DF1FBAF76E79

Dropped DLL, C&C communication

FDF4CAA13129BCEF76B9E18D713C3829CF3E76F14FAE019C2C91810A84E2D878

Hosts file modifier

1D1AE6340D9FAB3A93864B1A74D9980A8287423AAAE47D086CA002EA0DFA4FD4

 

Acknowledgements:

This analysis was jointly accomplished by Jaromir Horejsi, David Fiser and Honza Zika.

German phishing scam spreading globally

In recent weeks, we detected another wave of phishing emails, written in German, pretending to be a billing invoice sent from various well-known companies such as Vodafone. Instead of a real invoice, they contain a link to an archive with a malicious code that can infect users’ PCs. The original wave of this malware campaign was already observed earlier this year primarily targeting Germany. This time, it is spreading worldwide. However, they are still in German, which helps identify them as a scam.

In this post, we give a brief technical description of this threat and provide several tips how to not get caught by similar phishing threats.

 

Phishing Emails

We have found several different versions of these emails that claim to be sent from Vodafone, Telekom Deutschland GmbH, Volksbank, and other companies with a faked sender name (e.g. [email protected]) including the official logos. As we can see in Vodafone’s official statement, these companies are aware of this scam and have already warned their customers. Each version of such email is slightly different and contains the current date, a random customer number and payment amount.

Phishing email - Vodafone

If we look more carefully at the sender’s email address, we can see that the true author did not bother with faking the sender’s email address. This should immediately alert the recipient as an email from German Vodafone would hardly be sent from an unrelated Romanian domain.

In the latest scam, the emails do not contain any attachment, which is different to the other recent phishing campaigns. The proclaimed bill (a PDF file) is available online via a given link (also unique for each version) that actually leads to a ZIP archive stored on one of the hacked sites. These archives contain an exploited/unsecured WordPress instance and they serve as a mule for the distribution of malware to users.

Once again, a user targeted by such an attack should be alerted via a simple inspection of the target location of the link by hovering the cursor over it (but remember to not click on the link). This feature is supported by most browsers and email clients. As we can see from the following figure, the target domain of the link is also very suspicious:

beachmountainXXX.net/AYowCJbK

.

Link to a hacked domain

Malicious Content

The downloaded file (e.g.

2014_11rechnung_K4768955881.zip

) is a ZIP archive containing an executable file. The user is fooled by the application’s icon (similar to Adobe Reader) to think that it is a PDF file, which is yet another well-known trick used by malware authors.

Icon of the executable file

If you are not sure about the real file type, you can see the file properties.

For the following analysis of the malicious content, we use a sample with the MD5 checksum

b0a152fe885a13a6ffb0057f6f21912f

. It is an executable file downloaded from one of these links, likely originally written in C++ by using MFC.

First Stage

The (unwanted) execution of this file starts the first phase of the malicious behavior.

The file itself is 160 kB large, but most of its size is stored within the resource file masked as the following GIF image (109 kB).

The author of this sample used steganography because 99% bytes of the image content represents an encrypted code. This code is decrypted first and the control is passed to this decrypted code.

Furthermore, WinAPI functions are called indirectly (via functions

LoadModule()

and

GetProcAddress()

) and names of these functions are obfuscated and decoded during run-time on the application’s stack in order to make analysis more difficult.

Afterwards, it creates a new process with the same name and fills its sections with the decrypted code from the GIF image (via the

WriteProcessMemory()

function).

This new process copies the original file into 

C:Users%USERNAME%AppDataRoamingIdentitiesqwrhwyyy.exe

(as a read-only system file), registers itself to be run at system startup (registry key

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

), and deletes the original file by using a generated batch file.

Once the file is executed from this new location, it behaves differently:

It checks whether it is analyzed or virtualized via the following techniques.

  • Detection of a loaded Sandboxie module 
    SbieDll.dll

    and detection of running processes 

    VboxService.exe

    (VirtualBox) and

    vmtoolsd.exe

    (VMware).

  • It also uses the
    GetTickCount()

    function to detect whether it has really started during the startup and also to detect debuggers.

  • If any of these is detected, the executable file stops its malicious activity.

Afterwards, it extracts and decrypts another executable file on stack from the aforementioned GIF image and injects it into other processes, such as

explorer.exe

,

firefox.exe

. This starts the second stage of infection. Note: some versions of this malware try also to check a working Internet connection via a DnsQuery of www.microsoft.com before starting the second stage.

Second Stage

This extracted file is relatively small (52 kB) because it is packed by the UPX packer (version 3.08).

After its run-time unpacking, it uses the same anti-debugging tricks as the previous sample.

The main body of this file can be described by the following decompiled code:

CreateMutexA(0, 1, mutexName); // "qazwsxedc"
Sleep(1800000);                // wait for 30 minutes
WSAStartup(0x202, &WSAData);   // initiate Winsock
seconds = getLocalTimeInSeconds(0);
if (GetTickCount() < 1920000 /* 32 minutes after startup */ &&
	GetTickCount() > 1000) {
	while (1) {
		malicious();           // the main functionality
		gStateInactive = 1;
		Sleep(300000);         // wait for 5 minutes
	}
}

  • For synchronization between the first and second stage, the mutex 
    qazwsxedc

    is used (e.g. another variation of classical

    qwert

    or

    asdfg

    names).

  • Afterwards, the malware waits for 30 minutes to remain stealthy. After that, it also checks whether no more than 32 minutes have passed since the system startup (i.e. whether it was started during the first two minutes after startup).
  • In its main loop, it follows the malicious behavior described in the remaining paragraphs (function
    malicious()

    ). After each iteration, it makes a 5 minutes break before the next action.

In this function, the string

DC85CCC4C4CCC7CED385C6CE919F9F98

is decrypted at first by using the fixed XOR key

0xAB

. The resulting string

w.googlex.me:443

represents a remote address of the command-and-control (C&C) host and its port. The second one is

m.googlex.me:53

. At first, the sample tries to check connection with these servers by using the Winsock functions. The other samples contain different lists of C&C servers:

ahokcjidanptacyu.eu
gctrbwqyxxyamcnn.eu
ggcrguelfhvtuxdb.eu
gkkelsrkypraqhto.eu
gunvpvqhnwxxgjsn.eu
gvlmoefoqapvrvec.eu
mcfpeqbotiwxfxqu.eu
...

Afterwards, it obtains information about the local computer, such as:

  • computer name;
  • version of operating system;
  • processor information and number of cores;
  • memory information.
English (United States) // local settings
TEST-PC                 // PC name
Windows 7 Professional  // Windows version
4096 MB                 // memory      
Intel(R) Xeon(R) CPU E5-1620 v2 @ 3.70GHz | CORE 8 // CPU
2014-10                 // malware version

Afterwards, this information is encrypted and send as a registration to a C&C server from the aforementioned list. The reply from the server is encrypted by the same algorithm. The very first byte of the reply message specifies an action (i.e. a control code) to be performed. To date, we have identified the following codes:

  • 18, 19, and 20 – open a specified page in Internet Explorer (with minor differences).
  • 16 and 17 – download and execute a file specified within the message. The file is downloaded via the
    URLDownloadToFile()

    function, stored with a random name, e.g.

    %TMP%mibww.exe

    and executed via the 

    WinExec()

    function.

  • 6 – terminate the process (itself).
  • 5 – inactivate itself for a specified time.
  • 2, 3, and 4 – these codes imply different types of online communication with other systems (e.g. for downloading other malware modules, communication with other infected systems, attacking specified targets). The communication is executed via a server-specified number of threads running the following built-in functions. Arguments to these functions are also sent within the messages from a C&C server. All of these functions are based on Winsock functions.
    • Sending a message to a given IP address (or host name) and port.
    • Communication with a remote server on ports 21 and 22.
    • Sending multiple types of HTTP GET requests to specified servers.
GET %FILE% HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %VERSION%.0; Windows NT %VERSION%.1; SV1)
Host: %HOST%:%PORT%
Connection: Keep-Alive

GET %FILE% HTTP/1.1
Content-Type: text/html
Host: %HOST%
Accept: text/html, */*
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%VERSION%.0

GET %FILE% HTTP/1.1
Referer: http://%ADDR%:80/http://%ADDR%
Host: %HOST%
Connection: Close
Cache-Control : no-cache

GET %FILE% HTTP/1.1
Content-Type: text/html
Host: %HOST%
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

Those actions are constantly executed until the process is terminated by the C&C server (unlikely) or by user (e.g. system shutdown). However, this process is started once again during the system startup.

As we can see, it is up to the attacker to download and execute other malicious modules, such as password stealers, bankers, or to include the infected PC into a botnet.

Conclusion

Although, the analyzed phishing emails are far from perfect (download links and sender addresses are suspicious, the text of email is only available in German, etc.), it is still possible to fool a user into executing the malicious file. This file is powerful enough to infect the user’s machine and turn it into an unsafe place.

Here are some basic tips, that we’ve previously shared about how to detect a phishing email:

  • Check the spelling and grammar – it is unlikely that your bank or service provider will send you an email with such mistakes.
  • Sender’s name and email address can be spoofed, do not rely on them.
  • Look at the target address of the link – different domains than the official ones are highly suspicious.
  • Do not panic and do not do any action in haste. The attacker often tries to threaten you and make a time pressure on you.
  • Do not open suspicious attachments or links. If you really need to open a file, check its file type before double-clicking it. The file name and icon can be easily crafted to look like a picture or document.
  • If you are not sure about the email’s origin, try to contact that company directly (e.g. call official customer care), but do not respond to such email and never ever send your credentials in this way.
  • And as always: use AVG to stay protected.

Is backing up your data the same as exposing it? In this case – Yes!

Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution –  You can find them online! The catch? Your contacts are in a publicly accessible place.

1playstore photo

Seriously.

If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.

Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.

 2app

A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.

3savedatacloud

Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.

4fiddlerinfo 5datafromserver

We found log in data inside those entries from countries like Greece, Brazil, and others

The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.

6appinfoplaystore The application has been reported to Google without receiving any response.

Avast detects it as Android:DataExposed-B [PUP].

Samples (SHA-256):

F51803FD98C727F93E502C13C9A5FD759031CD2A5B5EF8FE71211A0AE7DEC78C 199DD6F3B452247FBCC7B467CB88C6B0486194BD3BA01586355BC32EFFE37FAB

Malicious Office macros are not dead

You could think that malicious Office macros are a thing of the past. They are not a major threat anymore, but they still represent a potential risk for unsuspecting users.

Since Microsoft Office enabled documents to embed macros that can even do complex actions such as dropping malicious executables, malicious office macros were used in the malware landscape.

When Office XP was released in 2001, it disabled macros by default: as a consequence, malicious macros were not so efficient to infect users, so their use in the malware landscape rapidly declined afterwards.

German warning: Macros have been disabled - Enable ContentHowever, it doesn’t mean that the threat is not present anymore, especially in corporate environments where users may leave them activated by default.

And the document can try social engineering to convince you to re-enable them.

a malicious Office document trying to convince the user to enable macros.


The file also contains something weird:

a suspicious highlighting on invisible textIf you scroll down, you notice something unusual:
that invisible but underlined text is actually a malware file (4D 5A is the signature of a Portable Executable file), encoded in the document, but in white font on white background.

hidden_executableThis is what it looks like if the text is back in normal color.

On execution, the macros remove this hidden text, to remove traces of maliciousness.

So, be careful: don’t enable macros by default, and don’t enable them for unusual documents.


Analyzing malicious office macros out of a document

Until Office 2007, Microsoft used the OLE Compound File Binary Format. Here is an accurate summary of the format:

"nigthmare", in blood lettersbecause it’s actually a complete filesystem, with multiple FAT formats, sectors, streams, defragmentation…

So for your sanity, we’ll avoid the details here as much as we can…

Starting with Office 2007, the default format was the “XMLs in a ZIP” Office Open XML.

But to store macros, even Office Open XML still uses the OLE format: they are located in the vbaProject.bin file inside the ZIP archive.

macros are located in ZIP/word/vbaProject.binSo in any case, we need to deal with the OLE format to extract macros: either the whole document (< Office 2007), either the vbaProject.bin file (later versions),


Just for your information, this is what such a OLE file looks like from a high level perspective.

high-level structure of an office file(don’t show that to your kids, they might look away from computers for ever)

If you still want to know more about the OLE format, you may want to watch Bruce Dang’s presentation on the topic.


 

So first, extract the vbaProject.bin file from the ZIP. Then, ask OfficeParser to extract the macros: luckily, it does all the magic for us.

Extracting macros from an office documentit displays an error, but the file NewMacros is still correctly extracted.

And then, you can clearly tell immediately the intent of the file… it’s pretty obvious (and actually, quite disappointing)…

stupid variable names in the macrosObvious variable names

anti-emulation code in the macroCommented “anti-emulation”

over-using the same anti-emulationThey are so proud of it that they re-used it multiple times…

Ok, let’s stop here. You already get the idea about the intents of this file, and now you know a simple method to analyze malicious Office macros yourself.

Sadly, not much to learn from this threat: excepted that it’s a good thing to practice on a ‘forgotten’ file type, that could still be used today to infect users.

Related tools:

  • OfficeMalScanner: doesn’t parse OLE file, but tries to extract embedded shellcodes and binaries.
  • OleFileIO_PL: a more advanced parsing library than OfficeParser, but with no direct macros extraction ability.

The post Malicious Office macros are not dead appeared first on Avira Blog.

Self-propagating ransomware written in Windows batch hits Russian-speaking countries

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

msg
The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
payload
The files have .btc attachment, but they are regular executable files.

coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is   Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

msg2

While the user is looking at the document displayed above, the paybtc.bat payload is already running in the background and performing the following malicious operations:

  • The payload uses gpg executable to generate a new pair of public and private keys based on genky.btc parameters. This operation creates several files. The most interesting ones are pubring.gpg and secring.gpg.

genky

  • It then imports a public key hardcoded in the paybtc.bat file. This key is called HckTeam. Secring.gpg is encrypted with the hardcoded public key, and then renamed to KEY.PRIVATE. All remains of the original secring.gpg are securely deleted with sdelete. If anyone wants to get the original secring.gpg key, he/she must own the corresponding private key (HckTeam). However, this key is known only to the attackers.

keys2

  • After that, the ransomware scans through all drives and encrypts all files with certain extensions. The encryption key is a previously-generated public key named cryptpay. The desired file extensions are *.xls *.xlsx *.doc *.docx *.xlsm *.cdr *.slddrw *.dwg *.ai *.svg *.mdb *.1cd *.pdf *.accdb *.zip *.rar *.max *.cd *jpg. After encryption, the files are added to extension “[email protected]“. To decrypt these files back to their original state, it is necessary to know the cryptpay private key, however, this key was encrypted with the HckTeam public key. Only the owner of the HckTeam private key can decrypt it.

keys3

  • After the successful encryption, the ransomware creates several copies (in root directories, etc.) of the text file with a ransom message. The attackers ask the victim to pay 140 EUR. They provide a contact email address ([email protected]) and ask the victim to send two files, UNIQUE.PRIVATE and KEY.PRIVATE.

message

A list of the paths of all the encrypted files is stored in UNIQUE.BASE file. From this file, the paths without interesting paths are stripped (these paths include the following: windows temp recycle program appdata roaming Temporary Internet com_ Intel Common Resources).
This file is encrypted with the cryptpay public key and stored in UNIQUE.PRIVATE. To decrypt this file, the attackers need the cryptpay private key, which was previously encrypted with HckTeam public key. It means that only the owner of theHckTeam private key can decrypt UNIQUE.PRIVATE.
keys4

When we display a list of all the available keys (–list-keys parameter) in our test environment, we can see two public keys; one of them is hardcoded in paybtc.bat file (HckTeam), the second one is recently generated and unique for a particular computer (cryptpay).

keys

Then Browser Password Dump (renamed to ttl.exe) is executed. The stolen website passwords are stored in ttl.pwd file.
keys5

The ttl.pwd file is then sent to the attacker with the email address and password hardcoded in the bat file.
keys6

Then the ttl.pwd is processed. The ransomware searches for stored passwords to known Russian email service providers. These sites include auth.mail.ru, mail.ru, e.mail.ru, passport.yandex.ru, yandex.ru, mail.yandex.ru. When a user/password combination is found, it is stored for future usage.
keys7

The GetMail program is used later to read emails from a user account and extract contacts. The ransomware will spread itself to these contacts.

With the stolen passwords, the virus then runs coherence.exe (renamed GetMail utility), which is a utility to retrieve emails via POP3. The virus only knows the username and password, not the domain, so it takes a few tries to bruteforce all major email providers to find the only missing piece of information. If an email is downloaded while bruteforcing, it confirms two things: 1. The domain the victim uses, and 2. the fact that the password works. Then the virus downloads the last 100 emails, extracts “From” email addresses and runs a simple command to filter out specific addresses, like automatic emails.

email_extracting

Next, ten variants of email are created, each with one custom link.
emails

The links all point to different files, but after unzipping we obtain the original JavaScript downloader.

urls

The virus now has a fake email with a malicious link, addresses to send it to, and the email address and password of the sender. In other words, everything it needs to propagate.

Propagation is achieved using program Blat renamed as spoolsv.btc. The last step of the virus is to remove all temporary files – nothing will ever  be needed again.

cleanup

Conclusion:

In the past we regularly got our hands dirty with ransomware which was typically a highly obfuscated executable. This case was quite different. It was interesting mainly because it was written purely in a batch file and relied on many open source and/or freely available third party utilities. Also, self-replication via emails was something we do not usually see.

avast! security products detect this ransomware and protect our users against it. Make sure your friends and family are protected as well. Download avast! Free Antivirus now.

SHAs and Avast’s detections:

Javascript downloader (JS:Downloader-COB)

ee928c934d7e5db0f11996b17617851bf80f1e72dbe24cc6ec6058d82191174b

BAT ransomware (BV:Ransom-E [Trj])

fa54ec3c32f3fb3ea9b986e0cfd2c34f8d1992e55a317a2c15a7c4e1e8ca7bc4

Acknowledgement:

This analysis was jointly accomplished by Jaromir Horejsi and Honza Zika.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.