• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Old Infostealer Resurfaces, Now Delivers Ransomware

Old Infostealer Resurfaces, Now Delivers Ransomware

  • Posted on:April 29, 2014 at 8:44 am
  • Posted in:Malware, Ransomware
  • Author:
    Paul Pajares (Fraud Analyst)
0

Sometime near the start of the year, we noticed that the old malware family TSPY_USTEAL resurfaced. This information stealing malware now includes new routines including malicious packers, obfuscation, and bundling ransomware.

TSPY_USTEAL variants were seen in the wild as early as 2009, and is known to steal sensitive information like machine details and passwords stored in browsers. It can act as a dropper, dropping plugins or binaries in its resource section. The stolen information is stored in an encrypted .bin file, which is uploaded to a C&C server via FTP. This was part of the behavior of the previous variants, and continues on in newer variants.

A newer variant that we detect as TSPY_USTEAL.USRJ, drops ransomware—detected as TROJ_RANSOM.SMAR—on affected systems. These ransomware files are created by a new toolkit builder that gives the attacker full control over the ransomware’s behavior, from the types of files it will encrypt to the ransom note to be displayed.

We detect this toolkit as TROJ_TOOLKIT.WRN. Below are the features translated from Russian to English. Included are the file types to be encrypted, the ransom note, the appended extension to encrypted file, and the name of the dropped copy of the encoder.

Figure 1. Translated ransomware toolkit
(Click image above to enlarge)

The ransomware, TROJ_RANSOM.SMAR, drops a copy of itself in the user’s machine. It then encrypts certain files with the same icon and extension name. For example, it can add the extension .EnCiPhErEd on selected extension names like .LNK, .ZIP, etc., as marker. Next, it drops an image file containing the ransom details.


Figure 2. Ransom note

When encrypted files are accessed, it shows the ransom note along with the contact details to retrieve the password. The retrieval method may either be through a text message or an email. Next, it displays a message asking for the password. If password given is correct, it decrypts and restores the encrypted files to its original form. Consequently, the ransomware file deletes itself. On the other hand, if the password is incorrect and the number of attempts has reached the pre-set limit, it displays the error message shown below. It then searches for files to encrypt (besides the already-encrypted files) and deletes itself afterward.


Figure 3. Error message

This particular combination of threats is worrisome because it steals your credentials and information while the ransomware extorts additional money from the victim by encrypting their files. It’s highly probable that the malware author wanted to wring a fortune out of the victim, extorting any leftover funds from the same victim with the use of ransomware.

Feedback from the Trend Micro Smart Protection Network shows that there was a spike mid-April for TROJ_RANSOM.SMAR, with the United States as the affected country . Trend Micro protects users from all threats releated to this attack.

With additional analysis from Adremel Redondo and Nazario Tolentino II

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: MalwareransomwareTSPY_USTEAL

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.