We highlighted in our quarterly threat roundup how various ransomware variants and other similar threats like CryptoLocker that now perform additional routines such as using different languages in their warning and stealing funds from cryptocurrency wallets. The addition of  mobile ransomware highlights how these threats are continuously improved over time.

We recently encountered another variant that used the Windows PowerShell feature in order to encrypt files. This variant is detected as TROJ_POSHCODER.A.  Typically, cybercriminals and threat actors have used Windows Powershell to go undetected on an affected system, making detection and analysis harder. However, once detected, using PowerShell made it easier to analyze as this malware is also hardcoded. Decrypting and analyzing this malware was not too difficult, particularly compared to other ransomware variants.

Since it uses Powershell, TROJ_POSHCODER.A is script-based, which is not common for ransomware. It uses AES to encrypt the files, and RSA4096 public key cryptography to exchange the AES key. When executed, it adds registry entries, encrypts files, and renames them to {filename}.POSHCODER. It also drops UNLOCKYOURFILES.html into every folder. Once all files on the infected system are encrypted, it displays the following image:

Figure 1.  Instructions on how users can supposedly retrieve their files

Once users followed the instructions stated in the ‘ransom note,’ they will see the image below informing them to install the Multibit application that will allow them to have their own Bitcoin-wallet account for 1 Bitcoin. When they purchase the application, they are instructed to submit the form that contains information like email address, and BTC address and ID. Users will supposedly get the decryptor that will help encrypt the files.

Figure 2. Users need to fill this form once they avail of the Multibit application

Currently, POSHCODER uses English for its ransom notes and primarily affects users in the United States.

Ransomware and other similar threats are continuously improving as exemplified by the emergence of POSHCODER.  Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file.

VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before—the ability to “speak” several languages.

Infection in Different Languages

Just like other VOBFUS variants, this new variant, detected as WORM_VOBFUS.JDN, propagates by dropping copies of itself in removable drives. Previously, variants used these eye-catching file names in order to convince users to click on the dropped file:

• passwords.exe
• porn.exe
• secret.exe
• sexy.exe

WORM_VOBFUS.JDN, on the other hand, takes it one step further by dropping files with files name that depend on the infected computer’s OS language and location. For example, a computer with English as the OS language may receive any of the following files:

• I love you.exe
• Naked.exe
• Password.exe
• Sexy.exe
• Webcam.exe

Whereas a computer that uses Bahasa Indonesia may receive the following files:

• Aku mencintaimu.exe
• kata sandi.exe
• seksi. exe
• Telanjang.exe

This variant also uses file names written in these languages:

• Arabic
• Bosnian
• Chinese
• Croatian
• Czech
• French
• German
• Hungarian
• Italian
• Korean
• Persian
• Polish
• Portuguese
• Romanian
• Slovak
• Spanish
• Thai
• Turkish
• Vietnamese

While the languages may differ, they all translate to I love you, Naked, Password, and Webcam.

Malware Going Local

Infection by way of “localized” threats could be seen as one way for cybercriminals to transform unsuspecting users into victims. Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these “localized” files and notifications as they might view these as less suspicious than other files.

Police ransomware is one threat that uses this particular technique. These malware pose as the local law enforcement agency of the victim’s country to urge users to pay the fee for their locked computers. For example, a French victim will receive a notification from Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI. There have even been instances wherein the ransomware will use an audio clip in the victim’s language.  Posing as local law enforcement agencies adds a sense of legitimacy to the claim and may further convince victims to pay the fee.

We have also seen file-encrypting ransomware use this approach. These malware locks computers and encrypts files until the victim pays a fee. We came across two incidents that targeted Turkish and Hungarian users. The spam containing the malware and the notification were written in their language.

Cybercriminals will do anything or use any technique possible to gain new victims. We advise users to avoid clicking links or files unless these can be verified. For ransomware incidents, since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Trend Micro blocks all threats mentioned in this entry.

Out with the old, in with the new? When it comes to cybercrime, that’s rarely the case. We often seen old malware get upgrades with new techniques, payloads, and even targets. This is certainly the case for an old Java remote access Trojan (RAT) detected as JAVA_OZNEB.B.

Users may encounter this threat as an attachment to spammed emails. These emails are often financial in nature. One such email pretends to be from American Express, informing recipients that their accounts have been suspended due to suspicious activity. To reactivate, they must fill out the attachment and send it back to American Express. The attachment is actually the malware in disguise. Users may also encounter the malware online pretending to be catalogues, product lists, or receipts.

Figure 1. Sample spammed message

Once it infects the computer, the RAT can perform a variety of routines, such as take screenshots, display messages, and load additional plugins, including one for mining Litecoins. The option for additional plugins makes the malware a high risk threat as cybercriminals can update and tweak routines as they wish. Making the malware a bigger threat is the fact that it can run on multiple platforms. It should be noted that this is not the first Java RAT that affects multiple platforms; we first spotted one in 2012.

JAVA_OZNEB.B was previously known as Adwind then later renamed to UNRECOM (Universal Remote Control Multi-Platform). Aside from the new name, the malware also experienced an upgrade: it can now run on the Android platform. The inclusion of Android in the set-up is highly notable because aside from running in Android, this malware now also works as an APK binder. Put simply, the malware can be used to Trojanize legitimate apps, like an Android malware we’ve previously discussed.

The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin. The Litecoin plugin can allow a remote malicious user to use an infected computer to mine Litecoins. Mining digital currencies requires a lot of computing power so victims may experience sluggish performance from their infected computers.

Feedback from the Smart Protection Network that affected countries includes the United States, Turkey, Australia, Taiwan, Singapore, and Japan. We advise users to be cautious when opening emails, even if they appear to come from reputable senders. For matters related to finance, it’s best to call the financial institution involved to resolve potential issues.

With additional insights from Lala Manly.

We recently came across one variant detected as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file. These sites occupy the entire desktop screen, hindering access to any open windows or files. There have been instances wherein the user can still see the open windows, but with the sites running in the background. Users can bypass this inconvenience by performing the “show desktop” command but the malware will continue to display windows.

Figure 1. Sites are displayed full-screen in the background of the running program Space Cadet

 It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines. Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.

It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information. However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.

This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users. As such, users should always remember key safety practices when going online. Habits like installing the latest software updates or deleting spammed messages can go a long way in protecting computers from threats.

Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions.

This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss. We now take a look at how this legitimate technique was used by this particular malware.

Figure 1. Compressed malware

Figure 1 shows the malware in its compressed form, which allows it to evade detection. To decompress the content, we used a SWFCompression Python script.

Figure 2. The shellcode has been extracted in ASCII form

Figure 3. ASCII shellcode

After converting it to hex code, we see a URL that it most likely accesses. Unfortunately, we cannot acquire the code it is supposed to download as the URL is no longer accessible at the time of analysis.

Figure 4. Binary shellcode

Loading the code into a debugger software produces the following outcome.

Figure 5. Code execution

As you can see in Figure 5, this malware uses a different approach for executing its payload. Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware.

However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression.

We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013.

Trend Micro detects all threats related to this attack.