• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   CryptoWall 3.0 Ransomware Partners With FAREIT Spyware

CryptoWall 3.0 Ransomware Partners With FAREIT Spyware

  • Posted on:March 19, 2015 at 7:49 pm
  • Posted in:Malware, Ransomware
  • Author:
    Anthony Joe Melgarejo (Threat Response Engineer)
7

Ransomware SeriesCrypto-ransomware is once again upping the ante with its routines. We came across one crypto-ransomware variant that’s combined with spyware—a first for crypto-ransomware. This development just comes at the heels of the discovery that ransomware has included file infection to its routines.

CryptoWall 3.0

We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto-ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.

But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.

Also gone is the use of Tor for its command-and-control (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.

The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.

It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.

Using JavaScript and “JPEGS”

CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.


Figure 1. Sample spammed message

Selecting a .JS file could be seen as an evasion technique due to its small file size, which can be skipped by some scanners, together with the obfuscation applied in its code.


Figure 2. Screenshot of the obfuscated code (truncated)

Further analysis of the .JS file reveals that it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension—this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file. Looking at the screenshot below, you will see that it actually downloads executable files.


Figure 3. MZ and PE signature of the downloaded executable file disguised as an image

The JS file will execute the said files after a successful download. The two files, one.jpg and two.jpg, are detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

File Encryption

TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights—which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges.


Figure 4. System modification

As you can see in the screenshot in Figure 4, it will also delete the shadow copies by issuing the command vssadmin.exe Delete Shadows /All /Quiet. This will prevent victims from restoring their files using the shadow copies.

After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes.

After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note.


Figure 5. Sample ransom note

Information Theft by FAREIT

TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

As we mentioned earlier, this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500—which doubles after a certain period of time has lapsed.


Figure 6. Ransom fee increases

Covering All Bases

There could be several reasons why cybercriminals introduced FAREIT to their crypto-ransomware attacks. Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files. Regardless of the reason, the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.

Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe.


Figure 7. Regions affected by CryptoWall 3.0

Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised. For example, users should never open attachments from unknown or unverified senders. In fact, they should ignore or delete from unknown senders. Lastly, they should invest in security solutions that can protect their devices against the latest threats.

With additional analysis by Cris Pantanilla, Gilbert Sison and Sylvia Lascano.

Hashes of related files:

  • 0e70b9ff379a4b2ea902d9ef68fac9081ad265e8
  • c39125e297f133ddfe75230f9d2c7dc07cc170b3
  • 6094049baeac8687eed01fc8e8e8e89af8c4f24a
  • a3a49a354af114f54e69c07b88a2880237b134fb
  • 0C615B3DB645215DEC2D9B8A3C964341F777BC78

Update as of March 20, 2015, 1:13 AM PST:

We have edited the blog to clarify details related to a routine executed by TROJ_CRYPWAL.YOI, specifically its creation of explorer.exe.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: crypto-ransomwareCryptoWallFAREITfile encryptionransomwarespyware

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.