• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Old Infostealer Resurfaces, Now Delivers Ransomware

Old Infostealer Resurfaces, Now Delivers Ransomware

  • Posted on:April 29, 2014 at 8:44 am
  • Posted in:Malware, Ransomware
  • Author:
    Paul Pajares (Fraud Analyst)
0

Sometime near the start of the year, we noticed that the old malware family TSPY_USTEAL resurfaced. This information stealing malware now includes new routines including malicious packers, obfuscation, and bundling ransomware.

TSPY_USTEAL variants were seen in the wild as early as 2009, and is known to steal sensitive information like machine details and passwords stored in browsers. It can act as a dropper, dropping plugins or binaries in its resource section. The stolen information is stored in an encrypted .bin file, which is uploaded to a C&C server via FTP. This was part of the behavior of the previous variants, and continues on in newer variants.

A newer variant that we detect as TSPY_USTEAL.USRJ, drops ransomware—detected as TROJ_RANSOM.SMAR—on affected systems. These ransomware files are created by a new toolkit builder that gives the attacker full control over the ransomware’s behavior, from the types of files it will encrypt to the ransom note to be displayed.

We detect this toolkit as TROJ_TOOLKIT.WRN. Below are the features translated from Russian to English. Included are the file types to be encrypted, the ransom note, the appended extension to encrypted file, and the name of the dropped copy of the encoder.

Figure 1. Translated ransomware toolkit
(Click image above to enlarge)

The ransomware, TROJ_RANSOM.SMAR, drops a copy of itself in the user’s machine. It then encrypts certain files with the same icon and extension name. For example, it can add the extension .EnCiPhErEd on selected extension names like .LNK, .ZIP, etc., as marker. Next, it drops an image file containing the ransom details.


Figure 2. Ransom note

When encrypted files are accessed, it shows the ransom note along with the contact details to retrieve the password. The retrieval method may either be through a text message or an email. Next, it displays a message asking for the password. If password given is correct, it decrypts and restores the encrypted files to its original form. Consequently, the ransomware file deletes itself. On the other hand, if the password is incorrect and the number of attempts has reached the pre-set limit, it displays the error message shown below. It then searches for files to encrypt (besides the already-encrypted files) and deletes itself afterward.


Figure 3. Error message

This particular combination of threats is worrisome because it steals your credentials and information while the ransomware extorts additional money from the victim by encrypting their files. It’s highly probable that the malware author wanted to wring a fortune out of the victim, extorting any leftover funds from the same victim with the use of ransomware.

Feedback from the Trend Micro Smart Protection Network shows that there was a spike mid-April for TROJ_RANSOM.SMAR, with the United States as the affected country . Trend Micro protects users from all threats releated to this attack.

With additional analysis from Adremel Redondo and Nazario Tolentino II

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: MalwareransomwareTSPY_USTEAL

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.