Archive

Author Archive

Nemucod dot dot..WSF

July 23rd, 2016 No comments

The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

The following screenshots show how the malicious file attachment looks like in the recent campaign:

Example of how an email spam containing the latest version of Nemucod might look like

Figure 1: Example of how an email spam containing the latest version of Nemucod might look like

 

Example of how Nemucod malware looks like when extracted and opened with an archive viewer.

Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

What the double dots mean: Social engineering for unsuspecting eyes

As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

  • profile-d39a..wsf
  • profile-e3de..wsf
  • profile-e7dc..wsf
  • profile-f8d..wsf
  • profile-fb50..wsf
  • spreadsheet_07a..wsf
  • spreadsheet_1529..wsf
  • spreadsheet_2c3b..wsf
  • spreadsheet_36ff..wsf
  • spreadsheet_3a8..wsf

Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

  • profile-d39as1u3e8k9i3m4wsf
  • profile-e3dee1uwl8s10f3m4wsf
  • profile-e7dc4d1u3e83m4wsf
  • profile-f8dsdwsfe8k4i38wsf
  • profile-fb50s1u3l8k9i3m4wsf
  • spreadsheet_07as133e3k9i3e4wsf
  • spreadsheet_1529s15se8f9i3o6wsf
  • spreadsheet_2c3bs1u5dfk9i3m6wsf
  • spreadsheet_36ffs1ure8koei3d5ws
  • spreadsheet_3a8s1udwsf8s9i323wsf

However, this is not the case. These are script files that might contain malicious code which could harm your system.

Underneath the WSF

Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

Underneath the WSF is the same typical Nemucod JScript code.

Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

 

This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

  • hxxp://right-livelihoods.org/rpvch
  • hxxp://nmfabb.com/rgrna1gc
  • hxxp://www.fabricemontoyo.com/v8li8

Recent spam campaign and trends

The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.

Daily detection trend for Nemucod. These are the unique machine encounters per day

Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day

 

Geographic distribution of Nemucod. Data taken from July 3 to July 18, 2016

Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

 

Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

  • Double extension (for example: <filename>pdf.js)
  • Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

Nemucod infection chain

Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

Mitigation and prevention

To avoid falling prey from this new Nemucod malware campaign:

Francis Tan Seng and Alden Pornasdoro
MMPC

Categories: Uncategorized Tags:

Kovter becomes almost file-less, creates a new file type, and gets some new certificates

July 22nd, 2016 No comments

Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns.

New persistence method

Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.

Upon installation, Kovter will generate and register a new random file extension (for example, .bbf5590fd) and define a new shell open verb to handle this specific extension by setting the following registry keys:

Registry setup for Kovter

Figure 1: Registry setup for Kovter

With this setup, every time a file with the custom file extension (.bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension open verb.

Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension .bbf5590fb – causing the malicious shell open command to run. This in turn runs a command using mshta.

Mshta is a clean tool that is used by Kovter to execute malicious JavaScript. This JavaScript then loads the main payload from another registry location, HKCUsoftware67f1a6b24cd0db239. To trigger this shell open command on a regular basis, Kovter drops several garbage files with its custom file extension in different locations, for example:

The contents of these files are not important, since the malicious code is contained within the shell open verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:

Using a shortcut file

Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:

  • %APPDATA%MicrosoftWindowsStart MenuProgramsStartup28dd1e3d.lnk

The target command of the shortcut file is the following:

C:WindowsSystem32cmd.exe /C start “” “C:UsersAdminAppDataRoaming33e588393ad319e6.bbf5590fd”

Once executed at startup, this command will open the file, causing the malicious shell open verb to run the malicious mshta command previously set up in the registry system (see Figure 1).

Using a batch script file

Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:

The .bat file has the following content:

Content of the .bat file setup in run key

Figure 2: Content of the .bat file setup in run key

 

Once executed, this bat will also run the dropped file, which then executes the malicious shell open verb.

Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.

Windows Defender is able to successfully clean up and remove these new versions of this threat.

Kovter malvertising updates

Since our last blog on Kovter spreading through malicious advertisements as a fake Adobe Flash update, we have observed some changes.

On top of the fake Adobe Flash updates, Kovter is now also pretending to be a Firefox update. Kovter has also rotated through a series of new digital certificates, including the following:

Certificate signer hash Valid from Valid until
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 Apr 21 2016 Apr 21 2017
78d98ccccc41e0dea1791d24595c2e90f796fd48 May 13 2016 May 13 2017
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 Jun 22 2016 Jun 22 2017
b780af39e1bf684b7d2579edfff4ed26519b05f6 May 12 2016 May 12 2017
a286affc5f6e92bdc93374646676ebc49e21bcae May 13 2016 May 13 2017
ac4325c9837cd8fa72d6bcaf4b00186957713414 Nov 18 2015 Nov 17 2016
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc Dec 28 2015 Dec 27 2016

Table 1: List of certificates used by Kovter

 

We’ve notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.

Kovter’s prevalence for the past two months

Figure 3: Kovter’s prevalence for the past two months

 

Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (chrome-update.exe).

We have seen Kovter downloaded from a large list of URLs, including:

  • hxxps://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe
  • hxxps://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe
  • hxxps://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe
  • hxxps://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe
  • hxxps://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe
  • hxxps://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe
  • hxxps://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe
  • hxxps://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe

For reference, here are some SHA1s corresponding to each certificate used by Kovter:

Certificate Signer Hash SHA1
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2
78d98ccccc41e0dea1791d24595c2e90f796fd48 da3261ceff37a56797b47b998dafe6e0376f8446
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 c3f3ecf24b6d39b0e4ff51af31002f3d37677476
b780af39e1bf684b7d2579edfff4ed26519b05f6 c49febe1e240e47364a649b4cd19e37bb14534d0
a286affc5f6e92bdc93374646676ebc49e21bcae 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39
ac4325c9837cd8fa72d6bcaf4b00186957713414 e428de0899cb13de47ac16618a53c5831337c5e6
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc b8cace9f517bad05d8dc89d7f76f79aae8717a24

Table 2: List of Kovter SHA1 for each certificate

 

To protect yourself from this type of attack, we encourage users to only download and install applications or their updates from their original and trusted websites.

Using an up-to-date version of an antimalware scanner like Windows Defender will also help you to stay protected from Kovter.

Duc Nguyen
MMPC

Categories: Uncategorized Tags:

Reverse engineering DUBNIUM –Stage 2 payload analysis

July 14th, 2016 No comments

Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2).

In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables are the core of this activity groups’ operation, as it is the final payload delivered to possible targets that matches its profile.

Infection chain overview

The picture below shows the overall infection chain we analyzed.

Flow chart describing how Dubnium is installed

Figure 1: Infection chain overview

 

In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.

The Stage 1 binary extensively checks-up on the system for the existence of security products or usual analysis tools for the reverse engineers or security analysts. It will pass the client’s IP address, hostname, MAC address, software profile information, and locale information to the download server. When the server thinks that the client matches profile for possible prospect, the next stage dropper will be downloaded.

 

Stage 0: Social Engineering vs. Exploits

In our previous blogs we described the Adobe Flash Exploit the malware recently used. In this blog we want to provide a brief overview of the social engineering method DUBNIUM uses for its daily infection operations. The activity group uses the .LNK file with an icon image of a Word document as one of its social engineering methods.

Shortcut icon disguised as Word document

Figure 2: Shortcut icon disguised as Word document

 

The shortcut contains commands to download and execute the next level executable or script. Unsuspecting victims will double click this icon and will be unknowingly launching a PowerShell command.

The commands in the shortcut

Figure 3: The commands in the shortcut

 

For example, the following shows the script that downloads a binary and executes it on the target system using PowerShell.

PowerShell script for downloading and execution of next stage binary

Figure 4: PowerShell script for downloading and execution of next stage binary

 

To make the attack more benign, the dropper drops an Office Word document and displays it on the screen. One of the samples we saw had content similar to the following screenshot:

Fake document contents - North Korean style language and mentions on North Korean leaders with New year’s celebration

Figure 5: Fake document contents – North Korean style language and mentions on North Korean leaders with New year’s celebration

 

Stage 2 infection process

Acquiring a Stage 2 binary is very difficult for the analysts because the download server is very selective upon the infection targets. The main direction of the infection strategy is not to infect as many as it can, instead it focuses on infecting targets that matches the desired profile, and avoids detection from security products. One very interesting fact is that the command and control (C2) server we have been observing didn’t go down for months. Overall security product coverage on Stage 2 executables is very poor, and so the strategy with this activity group (with a very selective Stage 2 infection) appears to have been effective.

The following diagram shows the transition from Stage 1 to Stage 2 through the downloaded binary.

Stage 1 to 2 transition

Figure 6: Stage 1 to 2 transition

 

The dropped binary (Dropper PE module) is never written to disk and directly injected to a new process created. In this case plasrv.exe is used, but the process name can actually vary each time. The dropper PE module will drop kbkernelolUpd.dll and kernelol21.exe (which happens to have the same name as the Stage 1 binary – but different contents). The dropper PE module will look for usual system processes, for example dwm.exe in this case, and will inject kbkernelolUpd.dll.

This is the main C2 client that will communicate with the C2 server and process downloaded commands. It performs the extra work of creating a process of usual Windows binary under systems folder and injecting the kernelol21.exe binary into it. This is a process persistency module, which will re-inject kbkernelolUpd.dll if the process is killed for some reason. The kbkernelolUpd.dll module also constantly monitors the existence of the kernelol21.exe injected process and will re-launch and re-inject the module if the infected host process is killed. This makes a process persistency loop.

The following screenshot shows the typical process tree when the Stage 2 infection happens. The dwm.exe and cipher.exe processes are infected with kbkernelolUpd.dll and kernelol21.exe.

Typical process list with Stage 2 infection

Figure 7 Typical process list with Stage 2 infection

 

The persistency of whole infection is carried by the Windows logon key shown in the following picture.

kernelol21.exe load key

Figure 8 kernelol21.exe load key

 

The following table shows the infection targets used for each stage. All infection target process files are default Windows executables under the system32 folder.

Components Injection targets Description
Stage 1 dropper PE module
  • plasrv.exe
  • wksprt.exe
  • raserver.exe
  • mshta.exe
  • taskhost.exe
  • dwm.exe
  • sdiagnhost.exe
  • winrshost.exe
  • wsmprovhost.exe
Creates new process
Stage 2 kbkernelolUpd.dll
  • dwm.exe
  • wuauclt.exe
  • ctfmon.exe
  • wscntfy.exe
Injects into existing process

If the process is killed, svchost.exe will be created by stage kernelol21.exe.

Stage 2 kernelol21.exe
  • cipher.exe
  • gpupdate.exe
  • services.exe
  • sppsvc.exe
  • winrshost.exe
Creates new process

Table 1: DUBNIUM infection targets

 

Process image replacement technique

When the main C2 client module, kbkernelolUpd.dll, is injected, it uses LoadLibrary call that is initiated through CreateRemoteThread API. This is a very typical technique used by many malware.

Injected LoadLibrary code

Figure 9: Injected LoadLibrary code

 

But, for dropper PE module in Stage 1 and kernelol21.exe injection in Stage 2, it uses a process image replacement technique. It creates the usual Windows process, injects the PE module to this process, fabricates PEB information and modifies startup code to achieve process injection.

 

Writing PE Image

The technique starts with creating a process from the executable under Windows system folder. Table 1 shows each target processes the injection will be made into, depending on the stage and the binary. The process is created as suspended and modifications will be performed on the image. The first step is injecting the infection PE image upon the process. It uses WriteProcessMemory APIs.

Figure 10 shows the code that injects the PE header, and Figure 11 shows the memory of the target process where the PE header is injected.

Injecting PE header

Figure 10: Injecting PE header

 

PE header written on target process

Figure 11 PE header written on target process

 

After the injection of PE header, it will go through each section of the source PE image and inject them one by one to the target process memory space.

PE section injection

Figure 12: PE section injection

 

The injected PE module has dependencies on the hardcoded base and section addresses. If VirtualAlloc function upon the desired base or section addresses fails, the whole injection process will fail.

 

Acquiring context and PEB information

The next step of infection is using GetThreadContext API to retrieve current context of the target process.

GetThreadContext

Figure 13: GetThreadContext

 

One of the thread contexts retrieved is shown in the following image.

Retrieved Context

Figure 14: Retrieved Context

 

When the process is started as suspended, the ebx register is initialized with the pointer to PEB structure. The following shows the original PEB data from the target process. The ImageBaseAddress member is at offset of +8 and the value is 0x00e0000 in this case. This is the image base of the main module of the target process.

Original PEB structure

Figure 15: Original PEB structure

 

After retrieving the PEB.ImageBaseAddress from the target process (Figure 16), it will replace it with the base address of the injected module (Figure 17).

Reading PEB.ImageBaseAddress

Figure 16: Reading PEB.ImageBaseAddress

Overwriting PEB.ImageBaseAddress

Figure 17: Overwriting PEB.ImageBaseAddress

 

The PEB.ImageBaseAddress of the target process is replaced, as in the following figure, to point to the base address of the injected PE module.

Overwritten PEB.ImageBaseAddress

Figure 18: Overwritten PEB.ImageBaseAddress

 

Overwriting wmainCRTStartup

 

After overwriting PEB.ImageBaseAddress to an injected module’s base address, the next step is patching wmainCRTStartup code from the original main module.

wmainCRTStartup patch code

Figure 19: wmainCRTStartup patch code

 

The following code shows original disassembly from wmainCRTStartup code.

Original code

Figure 20: Original code

 

After patch, it will just jump to the entry code of the injected module located at address of 0x4053d0, which is the entry point of the injected module. When ResumeThread is called upon this thread, it will start the main module from the injected module’s entry code.

Patched code

Figure 21: Patched code

 

Main C2 Client (kbkernelolUpd.dll)

As kbkernelolUpd.dll is the main module of the infection chain, we are going to focus on the analysis of this binary. As we stated before, the detection coverage and information on this specific component is limited in the security industry.

 

The string for the C2 server hostname and URI is encoded in a configuration block inside the binary.

C2 server string decoding

Figure 22: C2 server string decoding

 

From the following disassembly list, get_command uses wininet.dll APIs to send basic client information and to retrieve commands from the server. The process_command is the routine that will parse message and execute designated commands.

C2 command fetch & execution loop

Figure 23: C2 command fetch & execution loop

 

Between each contact to the C2 server, there is a timeout. The timeout value is saved inside the encoded configuration block in the binary. For example, the sample we worked on had a 30-minute time out between each contact request to the server.

Sleep interval between C2 accesses

Figure 24: Sleep interval between C2 accesses

 

Cryptographic C2 channel and message format

The following diagram shows the basic message format of the C2 server payload that is downloaded when the client contacts the server.

Decrypting C2 message

Figure 25: Decrypting C2 message

 

The message from the C2 server can be encoded in various ways. The first byte in the payload is the XOR key that is used to decode following bytes. The encryption type byte indicates what encryption algorithm is used in the code. It has three different encryption schemes (0x50, 0x58, 0x70) supported.

From our static analysis, 0x58 is for AES 256 encryption algorithm, 0x70 and 0x50 are for 3DES 168 algorithm. If this type is 0x40, no encryption will be used and it looks like 0x50 and 0x58 encryption type is not fully implemented yet. So 0x70 encryption type with 3DES 168 algorithm is the only encryption type that is fully working here.

The decryption scheme is using an embedded RSA private key with the decryption key embedded in the binary. By calling CryptHashData upon the embedded password string and using CryptDeriveKey, it will acquire a key to decrypt the encrypted RSA private key. (Figure 26)

Setting encryption key

Figure 26: Setting encryption key

 

This decryption key is used to import 0x258 bytes of private key embedded inside the binary. And this private key is used to decrypt the encrypted key (Key data 02 from Figure 25) passed through the response packet from the C2 server. Next, the IV (Initialization Vector) passed through the response packet is set as a parameter to the key object.

Importing keys and IV

Figure 27: Importing keys and IV

 

Finally, the actual decryption of the payload happens through CryptDecrypt API call. The question still remains why the C2 server and the client are using such an overcomplicated encryption scheme.

Decrypting message

Figure 28: Decrypting message

 

Command processor

The C2 command processor looks very typical. It has a simple packet parser for TLV (type, length, value) data structure. The following picture shows the main routine that processes packet length and types. It will call relevant functions for each packet type.

Main command processor function

Figure 29: Main command processor function

 

Each command provides usual functionalities that are typically seen in backdoors. They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information.

Infections statistics

The following chart shows the relative prevalence of the threat overall. We included Stage 1 and Stage 2 payload detections in this map.

Bar chart showing countries with most infections in China and Japan

Figure 30: Infection distribution by countries

 

Most of the infections we saw focused on East Asia—mostly China and Japan. We already described that the Stage 1 dropper collects and sends IP and language locale of the machines it infected to the Stage 2 dropper distribution site. We think this distribution site has a logic to determine whether to drop next payload or not.

The Stage 1 dropper is also known to collect information on culture-specific software like messengers and security software mainly used in mainland China. If the distribution site doesn’t push back Stage 2 payload, Stage 1 payload doesn’t have any means of persistency at all. This means that with all the cost of infiltrating into the machine, the malware simply gives up the machine if the machine doesn’t fit into its profile. Based upon the actual infection map and the behavior of this Stage 1 dropper, it might be a good indication that the activity group has a good geolocation preference with their targets.

 

Conclusion

DUBNIUM is a very cautious actor. From the vendor detections for Stage 2 binaries, we can see that there are no serious detections upon them in the industry. This is partially due to the strategy that DUBNIUM employs. It doesn’t try to infect as many machines as possible, instead it will potentially expose important components, like C2 client modules, to unintended targets. The very long lifespan of the domain it controls and uses for C2 operation supports the story.

Other features with DUBNIUM is that it uses encoding and encryption schemes over the executables and network protocols. Each stage has different styles of encoding and decoding schemes. Some are complicated and some are relatively simple. Stage 1 binaries have a stronger obfuscation and payload encoding scheme than Stage 2 binaries. The C2 server payload has its own format with encrypted message support.

The other feature with DUBNIUM is that over each stages, it always checks the running environment. It focuses on security products and analyst tools on Stage 1, but it is very cautious on debugging tools on Stage 2 binaries. From Stage 1, it also collects extensive information on the client system including locale, IP and MAC address and they are sent to the Stage 2 distribution site. The distribution site also serves each client once based upon this information. Getting served on the next stage binary is sometimes very challenging as we don’t know the backend algorithm behind to determine whether to serve the next stage binary or not.

 

Appendix – Indicators of Compromise

 

Stage 0

Adobe Flash Player Exploit

3eda34ed9b5781682bcf7d4ce644a5ee59818e15 SWF File

 

LNK

25897d6f5c15738203f96ae367d5bf0cefa16f53

624ac24611ef4f6436fcc4db37a4ceadd421d911

 

Droppers

09b022ef88b825041b67da9c9a2588e962817f6d

35847c56e3068a98cff85088005ba1a611b6261f

7f9ecfc95462b5e01e233b64dcedbcf944e97fca

aee8d6f39e4286506cee0c849ede01d6f42110cc

b42ca359fe942456de14283fd2e199113c8789e6

cad21e4ae48f2f1ba91faa9f875816f83737bcaf

ebccb1e12c88d838db15957366cee93c079b5a8e

4627cff4cd90dc47df5c4d53480101bdc1d46720

 

Fake documents displayed from droppers

24eedf7db025173ef8edc62d50ef940914d5eb8a

7dd3e0733125a124b61f492e950b28d0e34723d2

24eedf7db025173ef8edc62d50ef940914d5eb8a

afca20afba5b3cb2798be02324edacb126d15442

 

Stage 1

Droppers

0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3

1949a9753df57eec586aeb6b4763f92c0ca6a895

4627cff4cd90dc47df5c4d53480101bdc1d46720

561db51eba971ab4afe0a811361e7a678b8f8129

6e74da35695e7838456f3f719d6eb283d4198735

8ff7f64356f7577623bf424f601c7fa0f720e5fb

b8064052f7fed9120dda67ad71dbaf2ac7778f08

dc3ab3f6af87405d889b6af2557c835d7b7ed588

 

Stage 2

Dropper

2d14f5057a251272a7586afafe2e1e761ed8e6c0

3d3b60549191c4205c35d3a9656377b82378a047

 

kernelol21.exe

6ce89ae2f1272e62868440cde00280f055a3a638

 

kbkernelolUpd.dll

b8ea4b531e120730c26f4720f12ea7e062781012

0ea2ba966953e94034a9d4609da29fcf11adf2d5

926ca36a62d0b520c54b6c3ea7b97eb1c2d203a9

db56f474673233f9b62bef5dbce1be1c74f78625

 

UserData

147cb0d32f406687b0a9d6b1829fb45414ce0cba

 

Acknowledgement: Special thanks to Mathieu Letourneau at MMPC for providing statistical coverage data on the DUBNIUM multi-stage samples and providing insight on the interpretation of the data. Special thanks to HeungSoo David Kang for providing screenshots from the fake Office Word document file.

 

Jeong Wook Oh
MMPC

 

Categories: Uncategorized Tags:

Troldesh ransomware influenced by (the) Da Vinci code

July 13th, 2016 No comments

We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family.

Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we’ve seen the following updates to Troldesh:

  • Tor functionality
  • Glyph/symbol errors on the wallpaper ransom note
  • Modified extension names for encrypted files
  • New malware being delivered (Trojan:Win32/Mexar.A)
  • Updates the ransom note to cover the Tor functionality

The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.

The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):

The ransom note now includes onion.to addresses for payment

However, upon investigation it appears that Tor has blocked the address:

Screenshot showing that the Troldesh payment site has been blocked by Tor

Errors have been introduced into the image that replaces the user’s desktop wallpaper (this occurred to several samples, but not all):

Errors and unknown symbols have been seen in some versions of the wallpaper - the symbols look like blank boxes and random characters

After encryption, Troldesh changes the file’s extension. In the latest update, we’ve seen it use the following strings:

  • .da_vinci_code
  • .magic_software_syndicate

For example, an encrypted file might appear as follows:

A file name that is a series of random characters and ends in .da_vinci_code

The list of file types that Troldesh encrypts has also increased – see the Win32/Troldesh description for a full list.

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

Detection

Recovery

In the Office 365 “How to deal with ransomware” blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:

  

Patrick Estavillo
MMPC

Categories: Uncategorized Tags:

MSRT July 2016 – Cerber ransomware

July 12th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features.

We started seeing Cerber in February 2016, and since then it has continuously evolved and is now one of the most encountered ransomware families – beating both Exxroute and Locky. The evolution is mostly based around the way in which Cerber is being distributed – with a focus on exploit kits, compromised websites, and email distribution.

When looking at data for the past 30 days, Cerber is the most detected ransomware, taking over a quarter of all ransomware infections.

Ransomware family Share
Cerber 25.97%
Exxroute 15.39%
Locky 12.80%
Brolo 11.66%
Crowti 9.97%
FakeBsod 9.19%
Teerac 3.94%
Critroni 3.72%
Reveton 2.86%
Troldesh 1.21%
Ranscrape 1.18%
Sarento 0.76%
Urausy 0.70%
Genasom 0.65%

 

Cerber is especially prevalent in the US, Asia, and Western Europe.

However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines:
Map showing highlighted areas in Eastern US, Western Europe, Asia, South America

 

Cerber infection chain

Cerber can enter your system or PC either through downloaders from spam email or exploits on malicious or compromised sites.

Diagram showing spam email using macro and scripts to install cerber onto a PC

When delivered via spam, we’ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where’s the macro?“, and we’ve previously talked about how macros have been used to deliver malware (although new features in Office 2016 has seen a decrease in macro-based malware).

In this case, we’ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We’ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.

The other infection vector – exploit kits – occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.

Neutrino, Angler, and Magnitude exploit kits have been identified as distributing Cerber.

 

Cerber updates

As with most other encryption ransomware, Cerber encrypts files and places “recovery” instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.

Cerber, however, also includes a synthesized audio message.

We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware“.

 

Screencap showing a long note explaining how a user was infectedThere have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.

Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don’t mention the payment of fees or ransom to decrypt your files.

Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:

Note showing that Cerber is request bitcoin payment to decrypt files

 

The Cerber desktop wallpaper has also been updated:

Grey wallpaper with a few lines of black text showing links to decrypt files

 

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Download and apply security patches associated with the exploit kits that are known to distribute this ransomware (for example: Neutrino).
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

Detection

Recovery

In the Office 365 blog “How to deal with ransomware“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:

 

Carmen Liang and Patrick Estavillo MMPC

 

Categories: Uncategorized Tags:

Reverse-engineering DUBNIUM’s Flash-targeting exploit

June 20th, 2016 No comments

The DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we’re going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For more details on this vulnerability, see Adobe Security Bulletin APSB16-01.

Note that Microsoft Edge on Windows 10 was protected from this attack due to the mitigations introduced into the browser.

 

Vulnerability exploitation

Adobe Flash Player version checks

The nature of the vulnerability is an integer overflow, and the exploit code has quite extensive subroutines in it. It tries to cover versions of the player from 11.x to the most recent version at the time of the campaign, 20.0.0.235.

The earliest version of Adobe Flash Player 11.x was released in October 2011 (11.0.1.152) and the last version of Adobe Flash Player 10.x was released in June 2013 (10.3.183.90). This doesn’t necessarily mean the exploit existed from 2011 or 2013, but it again demonstrates the broad target the exploit tries to cover.

Figure 1 Version check for oldest Flash Player the exploit targets

Figure 1 Version check for oldest Flash Player the exploit targets

 

Mainly we focused our analysis upon the function named qeiofdsa, as the routine covers any Adobe Flash player version since 19.0.0.185 (released on September 21, 2015).

Figure 2 Version check for latest Flash Player the exploit supports

Figure 2 Version check for latest Flash Player the exploit supports

 

Why is this version of Flash Player so important? Because that is the release which had the latest Vector length corruption hardening applied at the time of the incident. The original Vector length hardening came with 18.0.0.209 and it is well explained in the Security @ Adobe blog https://blogs.adobe.com/security/2015/12/community-collaboration-enhances-flash.html.

The Vector object from Adobe Flash Player can be used as a corruption target to acquire read or write (RW) primitives.

This object has a very simple object structure and predictable allocation patterns without any sanity checks on the objects. This made this object a very popular target for exploitation for recent years. There were a few more bypasses found after that hardening, and 19.0.0.185 had another bypass hardening. The exploit uses a new exploitation method (ByteArray length corruption) since this new version of Adobe Flash Player.

Note, however, that with new mitigation from Adobe released after this incident, the ByteArray length corruption method no longer works.

To better understand the impact of the mitigations on attacker patterns, we compared exploit code line counts for the pdfsajoe routine, which exploits Adobe Flash Player versions earlier than 19.0.0.185, to the qeiofdsa routine, which exploits versions after 19.0.0.185. We learned that pdfsajoe has 139 lines of code versus qeiofdsa with 5,021.

While there is really no absolute way to measure the impact and line code alone is not a standard measurement, we know that in order to target the newer versions of Adobe Flash Player, the attacker would have to write 36 more times the lines of code.

Subroutine name pdfsajoe qeiofdsa
Vulnerable Flash Player version Below 19.0.0.185 19.0.0.185 and up
Mitigations No latest Vector mitigations Latest Vector mitigations applied
Lines of attack code 139 lines 5,021 lines
Ratio 1 36

Table 1 Before and after Vector mitigation

 

This tells us a lot about the importance of mitigation and the increasing cost of exploit code development. Mitigation in itself doesn’t fix existing vulnerabilities, but it is definitely raising the bar for exploits.

 

Heap spraying and vulnerability triggering

The exploit heavily relies on heap spraying. Among heap spraying of various objects, the code from Figure 3 shows the code where the ByteArray objects are sprayed. This ByteArray has length of 0x10. These sprayed objects are corruption targets.

Figure 3 Heap-spraying code

Figure 3 Heap-spraying code

 

The vulnerability lies in the implementation of fast memory opcodes. More detailed information on the usage of fast memory opcodes are available in the Faster byte array operations with ASC2 article at the Adobe Developer Center.

After setting up application domain memory, the code can use avm2.intrinsics.memory. The package provides various methods including li32 and si32 instructions. The li32 can be used to load 32bit integer values from fast memory and si32 can be used to store 32bit integer values to fast memory. These functions are used as methods, but in the AVM2 bytecode level, they are opcode themselves.

Figure 4 Setting up application domain memory

Figure 4 Setting up application domain memory

 

Due to the way these instructions are implemented, the out-of-bounds access vulnerability happens (Figure 5). The key to this vulnerability is the second li32 statement just after first li32 one in each IF statement. For example, from the li32((_local_4+0x7FEDFFD8)) statement, the _local_4+0x7FEDFFD8 value ends up as 4 after integer overflow. From the just-in-time (JIT) level, the range check is only generated for this li32 statement, skipping the range check JIT code for the first li32 statement.

Figure 5 Out-of-bounds access code using li32 instructions

Figure 5 Out-of-bounds access code using li32 instructions

 

We compared the bytecode level AVM2 instructions with the low-level x86 JIT instructions. Figure 6 shows the comparisons and our findings. Basically two li32 accesses are made and the JIT compiler optimizes length check for both li32 instructions and generates only one length check. The problem is that integer overflow happens and the length check code becomes faulty and allows bypasses of ByteArray length restrictions. This directly ends with out-of-bounds RW access of the process memory. Historically, fast memory implementation suffered range check vulnerabilities (CVE-2013-5330, CVE-2014-0497). The Virus Bulletin 2014 paper by Chun Feng and Elia Florio, Ubiquitous Flash, ubiquitous exploits, ubiquitous mitigation (PDF download), provides more details on other old but similar vulnerabilities.

Figure 6 Length check confusion

Figure 6 Length check confusion

 

Using this out-of-bounds vulnerability, the exploit tries to locate heap-sprayed objects.

These are the last part of memory sweeping code. We counted 95 IF/ELSE statements that sweep through memory range from ba+0x121028 to ba+0x17F028 (where ba is the base address of fast memory), which is 0x5E000 (385,024) byte size. Therefore, these memory ranges are very critical for this exploit’s successful run.

Figure 7 End of memory sweeping code

Figure 7 End of memory sweeping code

 

Figure 8 shows a crash point where the heap spraying fails. The exploit heavily relies on a specific heap layout for successful exploitation, and the need for heap spraying is one element that makes this exploit unreliable.

Figure 8 Out-of-bounds memory access

Figure 8 Out-of-bounds memory access

 

This exploit uses a corrupt ByteArray.length field and uses it as RW primitives (Figure 9).

Figure 9 Instruction si32 is used to corrupt ByteArray.length field

Figure 9 Instruction si32 is used to corrupt ByteArray.length field

 

After ByteArray.length corruption, it needs to determine which ByteArray is corrupt out of the sprayed ByteArrays (Figure 10).

 

Figure 10 Determining corrupt ByteArray

Figure 10 Determining corrupt ByteArray

RW primitives

The following shows various RW primitives that this exploit code provides. Basically these extensive lists of methods provide functions to support different application and operating system flavors.

Figure 11 RW primitives

Figure 11 RW primitives

 

For example, the read32x86 method can be used to read an arbitrary process’s memory address on x86 platform. The cbIndex variable is the index into the bc array which is an array of the ByteArray type. The bc[cbIndex] is the specific ByteArray that is corrupted through the fast memory vulnerability. After setting virtual address as position member, it uses the readUnsignedInt method to read the memory value.

Figure 12 Read primitive

Figure 12 Read primitive

 

The same principle applies to the write32x86 method. It uses the writeUnsignedInt method to write to arbitrary memory location.

Figure 13 Write primitive

Figure 13 Write primitive

 

Above these, the exploit can perform a slightly complex operation like reading multiple bytes using the readBytes method.

Figure 14 Byte reading primitive

Figure 14 Byte reading primitive

 

Function object virtual function table corruption

Just after acquiring the process’s memory RW ability, the exploit tries to get access to code execution. This exploit uses a very specific method of corrupting a Function object and using the apply and call methods of the object to achieve shellcode execution. This method is similar to the exploit method that was disclosed during the Hacking Team leak. Figure 15 shows how the Function object’s virtual function table pointer (vptr) is acquired through a leaked object address, and low-level object offset calculations are performed. The offsets used here are relevant to the Adobe Flash Player’s internal data structure and how they are linked together in the memory.

Figure 15 Resolving Function object vptr address

Figure 15 Resolving Function object vptr address

 

This leaked virtual function table pointer is later overwritten with a fake virtual function table’s address. The fake virtual function table itself is cloned from the original one and the only pointer to apply method is replaced with the VirtualProtect API. Later, when the apply method is called upon the dummy function object, it will actually call the VirtualProtect API with supplied arguments – not the original empty call body. The supplied arguments are pointing to the memory area that is used for temporary shellcode storage. The area is made read/write/executable (RWX) through this method.

Figure 16 Call VirtualProtect through apply method

Figure 16 Call VirtualProtect through apply method

 

Once the RWX memory area is reserved, the exploit uses the call method of the Function object to perform further code execution. It doesn’t use the apply method because it no longer needs to pass any arguments. Calling the call method is also simpler (Figure 17).

Figure 17 Shellcode execution through call method

Figure 17 Shellcode execution through call method

 

This shellcode-running routine is highly modularized and you can actually use API names and arguments to be passed to the shellcode-running utility function. This makes shellcode building and running very extensible. Again, this method has close similarity with the code found with the Adobe Flash exploit leaked during the Hacking Team information leak in July 2015.

Figure 18 Part of shellcode call routines

Figure 18 Part of shellcode call routines

 

Note that the exploit’s method of using the corrupted Function object virtual table doesn’t work on Microsoft Edge anymore as it has additional mitigation against these kinds of attacks.

ROP-less shellcode

With this exploit, shellcode is not just contiguous memory area, but various shellcodes are called through separate call methods. As you can see from this exploit, we are observing more exploits operate without return-oriented programming (ROP) chains. We can track these calls by putting a breakpoint on the native code that performs the ActionScript call method. For example, the disassembly in Figure 19 shows the code that calls the InternetOpenUrlA API call.

 

Figure 19 InternetOpenUrlA 1st download

Figure 19 InternetOpenUrlA 1st download

 

This call only retrieves some portion of a portable executable (PE) file’s header, but not the whole file. It will do another run of the InternetOpenUrlA API call to retrieve the remaining body of the payload. This is most likely a trick to confuse analysts who will look for a single download session for payloads.

Figure 20 InternetOpenUrlA 2nd download

Figure 20 InternetOpenUrlA 2nd download

Conclusion

With the analysis of the Adobe Flash Player-targeting exploit used by DUBNIUM last December, we learned they are using highly organized exploit code with extensive support of operating system flavors. However, some functionalities for some operating system are not yet implemented. For example, some 64-bit support routines had an empty function inside them.

The way the shellcode is authored makes the exploit code very extensible and flexible as changing shellcode behavior is extremely simple – as much as just changing AS3 code lines.

The actual first stage payload download is not just performed by a single download but are split into two.

They also use the ByteArray.length corruption technique to achieve process memory RW access. There was a hardening upon this object just after this incident and ByteArray now has better sanity checks. Therefore, the same technique would not work as straightforwardly as in this exploit for the versions after the hardening.

The exploit relies heavily on heap-spraying techniques, and this is one major element that makes this exploit unreliable.

This is a good example of how mitigation undermines an exploit’s stability, and how it increases exploit development cost.

Due to the exploitation method it relies on for the Function object corruption, with Microsoft Edge you have additional protection over this new exploit method.

 

Jeong Wook Oh
MMPC

Categories: Uncategorized Tags:

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

June 14th, 2016 No comments

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

 

Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents

 

It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant

 

The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant

 

It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details – downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary

 

The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable

Prevalence

Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence

 

Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)

 

Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 – No prompt from Office when user clicks, object executes
  • 1 – Prompt from Office when user clicks, object executes
  • 2 – No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

 

See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

 

 

Alden Pornasdoro

MMPC

 

Reverse-engineering DUBNIUM

June 10th, 2016 No comments

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a conventional way, they use their own methods and tactics of obfuscation and distraction.

In this blog, we will focus on analysis of the first-stage payload of the malware.

As the code is very complicated and twisted in many ways, it is a complex task to reverse-engineer the malware. The complexity of the malware includes linking with unrelated code statically (so that their logic can hide in a big, benign code dump) and excessive use of an in-house encoding scheme. Their bootstrap logic is also hidden in plain sight, such that it might be easy to miss.

Every sub-routine from the malicious code has a “memory cleaner routine” when the logic ends. The memory snapshot of the process will not disclose many more details than the static binary itself.

The malware is also very sneaky and sensitive to dynamic analysis. When it detects the existence of analysis toolsets, the executable file bails out from further execution. Even binary instrumentation tools like PIN or DynamoRio prevent the malware from running. This effectively defeats many automation systems that rely on at least one of the toolsets they check to avoid. Avoiding these toolsets during analysis makes the overall investigation even more complex.

With this blog series, we want to discuss some of the simple techniques and tactics we’ve used to break down the features of DUBNIUM.

We acquired multiple versions of DUBNIUM droppers through our daily operations. They are evolving slowly, but basically their features have not changed over the last few months.

In this blog, we’ll be using sample SHA1: dc3ab3f6af87405d889b6af2557c835d7b7ed588 in our examples and analysis.

Hiding in plain sight

The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. In this instance, it is attempting to look like a certificate generation tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance.

Figure 1: SSH tool disguise

Figure 1: SSH tool disguise

 

When it is run, the program actually dumps out dummy certificate files into the file system and, again, this can be very convincing to an analyst who is initially researching the file.

Figure 2 Create dummy certificate files

Figure 2 Create dummy certificate files

 

The binary is indeed statically linked with OpenSSL library, such that it really does look like an SSH tool. The problem with reverse engineering this sample starts from the fact that it has more than 2,000 functions and most of them are statically linked to OpenSSL code without symbols.

Figure 3: DUBNIUM functions list

Figure 3: DUBNIUM functions list

 

The following is an example of one of these functions – note it even has string references to the source code file name.

Figure 4: Code snippet that is linked from OpenSSL library

Figure 4: Code snippet that is linked from OpenSSL library

 

It can be extremely time-consuming just going through the dump of functions that have no meaning at all in the code – and this is only one of the more simplistic tactics this malware is using.

We can solve this problem using binary similarity calculation. This technique has been around for years for various purposes, and it can be used to detect code that steals copyrighted code from other software.

The technique can be used to find patched code snippets in the software and to find code that was vulnerable for attack. In this instance, we can use the same technique to clean up unnecessary code snippets from our advanced persistent threat (APT) analysis and make a reverse engineer’s life easier.

Many different algorithms exist for binary similarity calculation, but we are going to use one of the simplest approach here. The algorithm will collect the op-code strings of each instruction in the function first (Figure 5). It will then concatenate the whole string and will use a hash algorithm to get the hash out of it. We used the SHA1 hash in this case.

Figure 5: Op code in the instructions

Figure 5: Op code in the instructions

 

Figure 6 shows the Python-style pseudo-code that calculates the hash for a function. Sometimes, the immediate constant operand is a valuable piece of information that can be used to distinguish similar but different functions and it also includes the value in the hash string. It is using our own utility function RetrieveFunctionInstructions which returns a list of op-code and operand values from a designated function.


01 def CalculateFunctionHash(self,func_ea):
02     hash_string=''
03     for (op, operand) in self.RetrieveFunctionInstructions(func_ea):
04            hash_string+=op
05            if len(drefs)==0:
06                  for operand in operands:
07                         if operand.Type==idaapi.o_imm:
08                                hash _string+=('%x' % operand.Value)
09
10     m=hashlib.sha1()
11     m.update(op_string)
12     return m.hexdigest()

Figure 6: Pseudo-code for CalculateFunctionHash

With these hash values calculated for the DUBNIUM binary, we can compare these values with the hash values from the original OpenSSL library. We identified from the compiler-generated meta-data that the version the sample is linked to is openssl-1.0.1l-i386-win. After gathering same hash from the OpenSSL library, we could import symbols for the matched functions. In this way, removed most of the functions from our analysis scope.

Figure 7: OpenSSL functions

Figure 7: OpenSSL functions

(This blog is continued on the next page)

Link (.lnk) to Ransom

May 27th, 2016 No comments

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

 

Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

zcrypt = {path of the executed malware}

 

It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%zcrypt.lnk

..along with a copy of itself as {Drive}:system.exe and %appdata%zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:usersadministratorappdataroamingzcrypt.exe

Payload

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A  ransom note

 

It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr

 

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %AppData%cid.ztxt

For example, c:usersadministratorappdataroamingcid.ztxt

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

*Related macro malware information:

 

Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection

May 26th, 2016 No comments

Every month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.

 

Enabling Windows 10 Limited Periodic Scanning

If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

  1. Navigate to Settings -> Update & Security -> Windows Defender.
  2. Turn Limited Periodic Scanning on.

Screenshot of the Limited Periodic Scanning option

If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.

 

Notifying you of threats found on your PC

When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

Screenshot of the Windows Defender scan notification

Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit: http://www.microsoft.com/security.

 

 

Deepak Manohar

Microsoft Malware Protection Center

The 5Ws and 1H of Ransomware

May 19th, 2016 No comments

For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.

Ransomware geographical distribution for from February to April 2016

The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware. Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the Ransomware InfoDay today, May 19, 2016, as part of the ransomware awareness campaigns.

The following table shows the top 20 countries where ransomware is most prevalent.

Top 20 countries with the most prevalent ransomware incidents

This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.

Case in point: RANSOMWARE

 

Whom does it affect?

You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?Who could be a ransomware victim?

If yes, then you are a potential ransomware victim. Ensure that precautionary measures are taken, see the Prevention section for details.

 

 

What is ransomware?

Ransomware is a malware that stealthily gets installedWhat is ransomware? in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our Ransomware page for details.

 

 

What does a ransomware attack look like?

Ransomware targets your pictures, documents, files, and data that are personally invaluable.

You can tell that you are under attack when you see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

However, the ransomware attack symptom varies from one ransomware type to another:

Sample ransomware lockscreens and ransom notes

 

What!?! There are several ransomware types?

Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people’s computing habits, leverage recent technologies, and monetization strategies available.

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

  • Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
  • Encryption ransomware changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Ransomware history from 1989 to 2016

 

Where can a ransomware attack happen?

R_consumer7Computers and mobile devices.

Ransomware employs its encryption and monetization strategies across PC and mobile devices.

 

 

 

 

When can a ransomware attack start?Ransomware attack workflow

Potential victims can fall into the ransomware trap if they are:

  • Browsing untrusted websites
  • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
    • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
    • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
  • Installing pirated software, outdated software programs or operating systems
  • Using a PC that is connected to an already infected network

 

Why do malware perpetrators victimize people with ransomware?

Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people’s ignorance, unpatched software vulnerability, or zero-day vulnerability.

Ransomware in the news affecting crucial public and private services

 

On the other hand, it mars an enterprise company’s security and reputation as some ransomware incidents halt crucial services such as hospitals – thus forcing infected users to pay up if they haven’t backed up their data.

Why must you educate yourself about ransomware?

Because it can take your hard-earned money in exchange of the stuff you already own – your data or files!! Exxroute ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.

It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.

If the ransomware perpetrators are cashing in on people’s ignorance, then educating yourself about it can help disrupt their business.

Download the ransomware infographics here.

How can you avoid and bounce from a ransomware attack?

Prevention

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

3. Recover your files in your OneDrive for Consumer.

4. Recover your files in your OneDrive for Business.

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal.

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore.

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

Microsoft Malware Protection Center

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

Large Kovter digitally-signed malvertising campaign and MSRT cleanup release

May 10th, 2016 No comments

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

  • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
  • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
  • Loading an exploit kit to attack your browser or browser plugin.
  • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Kovter infection chain

Figure 1 – Kovter’s fake Adobe update malvertising infection chain

 

For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

  • aefoopennypinchingpolly.com
  • ahcakmbafocus.org
  • ahxuluthscsa.org
  • caivelitemind.com
  • ierietelio.org
  • paiyafototips.com
  • rielikumpara.org
  • siipuneedledoctor.com
  • ziejaweleda.org

The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email: monty.ratliff@yandex.com

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

https://<domain>/<random numbers>/<random hex>.html

For example:

hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html

By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe

Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1 Md5
eafe025671e6264f603868699126d4636f6636c7
c26b064b826f4c1aa6711b7698c58fc0
0686c48fd59a899dfa9cbe181f8c52cbe8de90f0
e0a31d6b58017428dd8c907b14ea334e
62690c0a5a9946f91855a476b7d92447e299c89a
18ccf307730767c4620ae960555b9237
7a678fa58e310749362a432db9ff82aebfb6de62
f6406681e0652e33562d013a8c5329b9
872d157c9c844636dda2f33be83540354e04f709
42b1b775945a4f21f6105df8e9c698c2
37a8ad4a51b6f7b418c17abd8de9fc089a23125d
3767f655a462c4bf13ae83c5f7656af4
cfebfe6d4065dd14493abeb0ae6508a6d874d809
a14a38ebe3856766d55c1af35fb1681f
c48b21c854d6743c9ebe919bf1271cade9613890
321f9b3717655e1886305f4ca01129ad
4df10be4b12f3c7501184097abee681a1045f2ed
0966f977c6d319e838be9b2ceb689fbe
457f0f7fe85fb97841d748af04166f2a3e752efe
7214015e37750f3ee65d5054a5d1ff8a

 

These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

Comodo certificateComodo certificate

 

We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

 

MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

 

Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

  • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
  • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCUsoftware<random_chars> or HKLMsoftware<random_chars>). For example, we have seen it drop the payload into the following registry keys:

  • hklmsoftwareoziyns8
  • hklmsoftware2pxhqtn
  • hkcusoftwarempcjbe00f
  • hkcusoftwarefxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

  • hklmsoftwaremicrosoftwindowscurrentversionrun
  • hklmsoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionpoliciesexplorerrun
  • hkcusoftwaremicrosoftwindowscurrentversionrun
  • hkcusoftwareclasses<random_chars>shellopencommand

The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

One executing in memory, the malware also injects itself into legitimate processes including:

  • regsvr32.exe
  • svchost.exe
  • iexplorer.exe
  • explorer.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

 

Payload

Lowers Internet security settings

It modifies the following registry entries to lower your Internet security settings:

  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 Sets value: “1400” With data: “0
  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 Sets value: “1400” With data: “0

Sends your personal information to a remote server

We have seen this malware send information about your PC to the attacker, including:

  • Antivirus software you are using
  • Date and time zone
  • GUID
  • Language
  • Operating system

It can also detect some specific tools you use in your PC and sends that information back to the attacker:

  • JoeBox
  • QEmuVirtualPC
  • Sandboxie
  • SunbeltSandboxie
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark

Click-fraud

This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

Download updates or other malware

This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

 

Demographics

Kovter prevalence or encounters chart

Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April

 

Kovter's geographic distribution

Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States

 

Mitigation and prevention

To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Geoff McDonald and Duc Nguyen

MMPC

Gamarue, Nemucod, and JavaScript

May 9th, 2016 No comments

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code

 

The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code

 

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate

 

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

 

 

Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

 

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.

 

Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern

 

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries

 

Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:

 

———————————————————————–

[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

 

Donna Sibangan

MMPC

 

 

Keeping Browsing Experience in Users’ Hands, an Update…

March 24th, 2016 No comments

Since we published the Keeping Browsing Experience in Users’ Hands blog in December 2015, we’ve received feedback from the ecosystem and engaged in discussions with the industry. Based on those discussions and feedback, we are making a couple of updates.

We are broadening the scope of the evaluation criteria we blogged about to state:

Programs that change the user browsing experience must only use the browsers’ supported extensibility model for installation, execution, disabling and removal. Browsers without supported extensibility models will be considered non-extensible.

This addition addresses software that modifies the browsing experience, not just those that insert ads into the browsing experience.

Accordingly, we are moving the criterion from the Advertising criteria to become an expansion of our BrowserModifier criteria.

By doing so we are closing additional gaps that impact the browsing experience from outside the browser, not just ad injection software, and are pointing developers to comply with the browser’s respective extensibility models.

Internet Explorer and Microsoft Edge’s policy, for example, can be found at aka.ms/browserpolicy.

In addition, and due to the broadening of the policy, we are further extending the notification up until May 2, 2016.

We continue to encourage developers who may be affected by this policy to work with us during the notification time, and fix their software to become compliant with the new criteria and follow the respective browser policies.

Enforcement starts on May 2, 2016.

Barak Shein and Michael Johnson

MMPC

 

Categories: Uncategorized Tags:

New feature in Office 2016 can block macros and help prevent infection

March 22nd, 2016 No comments

Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

 

Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

 

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

 

Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

  1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
  2. Block easy access to enable macros in scenarios considered high risk.
  3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
  2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
  3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

Email with a macro-enabled attachment

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

Word document instructing a user to enable macros to get out of protected view mode

 

However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

Warning message appears in a document if macros can't be enabled

 

James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

 

Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

  1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor, go to User configuration.
  3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
  4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

Group policy settings location

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

 

Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

Categories: macros, office, spam Tags:

No mas, Samas: What’s in this ransomware’s modus operandi?

March 18th, 2016 No comments

We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats,  Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.

 

How Samas is different from other ransomware?

 

Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade

 

The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as direct use of unsafe JNI with outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

  1. Look for certain file extensions that are related to backup files in the system.
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
  3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

 

So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:


Figure 3:  Version 1 – Ransom:MSIL/Samas.A

 

Figure 4: Version 2 – Ransom:MSIL/Samas.B

 

It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

 

Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

 

Marianne Mallen

MMPC

 

The three heads of the Cerberus-like Cerber ransomware

March 10th, 2016 No comments

Early this month, we saw a new ransomware family that launches a three-prong attempt to get you to hand over your hard-earned cash.

Called “Cerber” (it replaces file extensions with .cerber), we like to think of this three-prong approach as a nod to the mythical multiple-headed hound, Cerberus.

The attack starts with a text-to-speech (TTS) synthesized recording of a text message:

  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware.

So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.

The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.

In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.

VB script used to call the SAPI Speak method

If the API can’t call the speech synthesizer, you’ll see an error message similar to this:

Error returned when TTS is disabled or not available

The other “prongs” in the attack are the usual flavor of current ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim’s IP geolocation.

HTML page with ransom payment instructions

Plain text file with ransom payment instructions

Ransomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings, and this newer “low-cost approach” is both frustrating and effective.

Unlike other current ransomware (like Crowti) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files, the Users folder, the Recycle Bin and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses RSA encryption.

The list of file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and .sqlite), and archive files (for example, .rar and .zip).

It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:

  • The list of file extensions it targets
  • The folders it avoids
  • The public RSA key used for encryption (the private key is stored on the attacker’s server)
  • The mutex name format
  • The .html and .txt content used in the ransom note
  • The IP of a server it sends statistical data to

See our malware encyclopedia entry for details on the file types and folders it targets.

Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber. Therefore, a file called kawaii.png could be renamed to something like 5kdAaBbL3d.cerber.

The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to “choose your language”. This phrase rotates between the 12 languages the user can choose from.

Choice of 12 languages

CAPTCHA to access the payment site

After they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti and others.

Cerber payment site, requesting Bitcoin

Our strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender as your antimalware client, and ensure that MAPS has been enabled.

Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs, and administrators can disable macro loading using Group Policy settings.

Categories: ransomware Tags:

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

BrowserModifier:Win32/Vonteera

We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

DESCRIPTION

Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Locky malware, lucky to avoid it

February 24th, 2016 No comments

You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.

We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:

If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.

While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there.  You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.

 

Disable all except digitally signed macros in Microsoft Word

To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.

To do this:

1. Open a Microsoft Word document.
2. Click the File tab.
3. Click Options.
4. In the Trust Center, click Trust Center Settings.

Trust Center settings

5. Select Disable all macros except digitally signed macros.

Macro settings in Trust Center

6. Click OK.

 

Block macros from running in Office files from the Internet in your enterprise

Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.

 

Only enable trusted content

If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:

Enable macro message

Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.

 

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

 

Help prevent malware infections on your PC

There are a number of other things you can do to help prevent malware infections, for example:

 

So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.

Stay safe, from all of us at the MMPC.

-Jasmine Sesso, MMPC