• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   CryptoWall 3.0 Ransomware Partners With FAREIT Spyware

CryptoWall 3.0 Ransomware Partners With FAREIT Spyware

  • Posted on:March 19, 2015 at 7:49 pm
  • Posted in:Malware, Ransomware
  • Author:
    Anthony Joe Melgarejo (Threat Response Engineer)
7

Ransomware SeriesCrypto-ransomware is once again upping the ante with its routines. We came across one crypto-ransomware variant that’s combined with spyware—a first for crypto-ransomware. This development just comes at the heels of the discovery that ransomware has included file infection to its routines.

CryptoWall 3.0

We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto-ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.

But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.

Also gone is the use of Tor for its command-and-control (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.

The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.

It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.

Using JavaScript and “JPEGS”

CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.


Figure 1. Sample spammed message

Selecting a .JS file could be seen as an evasion technique due to its small file size, which can be skipped by some scanners, together with the obfuscation applied in its code.


Figure 2. Screenshot of the obfuscated code (truncated)

Further analysis of the .JS file reveals that it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension—this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file. Looking at the screenshot below, you will see that it actually downloads executable files.


Figure 3. MZ and PE signature of the downloaded executable file disguised as an image

The JS file will execute the said files after a successful download. The two files, one.jpg and two.jpg, are detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

File Encryption

TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights—which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges.


Figure 4. System modification

As you can see in the screenshot in Figure 4, it will also delete the shadow copies by issuing the command vssadmin.exe Delete Shadows /All /Quiet. This will prevent victims from restoring their files using the shadow copies.

After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes.

After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note.


Figure 5. Sample ransom note

Information Theft by FAREIT

TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

As we mentioned earlier, this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500—which doubles after a certain period of time has lapsed.


Figure 6. Ransom fee increases

Covering All Bases

There could be several reasons why cybercriminals introduced FAREIT to their crypto-ransomware attacks. Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files. Regardless of the reason, the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.

Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe.


Figure 7. Regions affected by CryptoWall 3.0

Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised. For example, users should never open attachments from unknown or unverified senders. In fact, they should ignore or delete from unknown senders. Lastly, they should invest in security solutions that can protect their devices against the latest threats.

With additional analysis by Cris Pantanilla, Gilbert Sison and Sylvia Lascano.

Hashes of related files:

  • 0e70b9ff379a4b2ea902d9ef68fac9081ad265e8
  • c39125e297f133ddfe75230f9d2c7dc07cc170b3
  • 6094049baeac8687eed01fc8e8e8e89af8c4f24a
  • a3a49a354af114f54e69c07b88a2880237b134fb
  • 0C615B3DB645215DEC2D9B8A3C964341F777BC78

Update as of March 20, 2015, 1:13 AM PST:

We have edited the blog to clarify details related to a routine executed by TROJ_CRYPWAL.YOI, specifically its creation of explorer.exe.





Related posts:

  • Chimera Crypto-Ransomware Wants You (As the New Recruit)
  • Businesses Held for Ransom: TorrentLocker and CryptoWall Change Tactics
  • Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files
  • PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: crypto-ransomwareCryptoWallFAREITfile encryptionransomwarespyware

Featured Stories

  • BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics
  • New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files
  • ‘INTERPOL Arrests Business Email Compromise Scam Mastermind
  • Two-Factor Authentication and SMS Messages: Don’t Let The Perfect Be The Enemy Of The Good
  • Self-Promoting App in Google Play Cashes In on Pokémon Go

Business Email Compromise

  • How can a sophisticated email scam cause more than $2.3 billion in damages to businesses around the world?
    See the numbers behind BEC

Latest Ransomware Posts

  • Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files
  • Network Solutions to Ransomware – Stopping and Containing Its Spread
  • New Version of Cerber Ransomware Distributed via Malvertising
  • Locky Ransomware Now Downloaded as Encrypted DLLs
  • New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

Recent Posts

  • A Case of Misplaced Trust: How a Third-Party App Store Abuses Apple’s Developer Enterprise Program to Serve Adware
  • Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files
  • Network Solutions to Ransomware – Stopping and Containing Its Spread
  • The French Dark Net Is Looking for Grammar Police
  • Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems

Ransomware 101

  • This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim.
    Check the infographic

Popular Posts

  • Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
  • Courier Scammers Intercept Text Messages, Leave Traces on Google Play
  • Self-Promoting App in Google Play Cashes In on Pokémon Go
  • New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files
  • Flashlight App Spews Malicious Ads

Latest Tweets

  • What happens before the ransom note pops up on the victim's screen? Here's a step-by-step look: bit.ly/2b32MDc #ransomware
    about 2 hours ago
  • New post: A Case of Misplaced Trust: How a Third-Party App Store Abuses Apple’s Developer Enterprise P bit.ly/2cisDDo @TrendMicro
    about 7 hours ago
  • We recently analyzed Umbreon—a Pokemon-inspired #rootkit that attacks Linux, x86, and ARM systems. Details here: bit.ly/2cmNx6c
    about 8 hours ago

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.