By Kawabata Kohei, Joseph C. Chen, and Jeanne Jocson
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While most ransomware directly sends the gathered information to their designated C&C servers, there are some variants that slightly differ. CuteRansomware, for instance, uses Google Docs to pass information from the infected system to the attackers.
One of the latest ransomware families, CryLocker (detected as RANSOM_MILICRY.A), does the same by taking advantage of Imgur, a free online image hosting site that allows users to upload and share photos to their contacts. During our monitoring of activities related to exploit kits, we spotted both Rig and Sundown distributing this threat.
This is the first time we saw the use of Portable Network Graphics (PNG) files to package the information harvested from the infected system. The PNG file is also the means for cybercriminals to track their victims. After gathering the information from the user’s system, this ransomware sends the PNG files to an Imgur album. The perpetrators primarily employed this tactic to evade detection and remain hidden on the system. We’ve already notified Imgur regarding CryLocker’s unscrupulous practice on their service.
Figure 1. Screenshot of the victim data packaged as .PNG file and sent to an Imgur album.
Arrival method and analysis
A malvertising (malicious advertising) campaign was found to be distributing this ransomware through Rig exploit kit last September 1. From September 2 onwards, this campaign stopped pushing this threat as their payload. Upon closer inspection to the uploaded PNG files in Imgur, the initial information we spotted there was encrypted as early as August 25.
Figures 2-3. Traffic of Sundown and Rig exploit kits
We spotted the Sundown exploit kit distributing the ransomware through malvertising last
September 5, but introduced a few changes. For example, the attackers change the desktop wallpaper to the ransom note that they call “CryLocker.” As of posting, the total victim information stolen has increased to 8,000.
Figure 4. Number of uploaded victim info in the C&C (Aug 25-Sept 5, 2016)
Figure 5. CryLocker’s ransom note
Based on our analysis, CryLocker changes the file extension of encrypted files to *.CRY. This is similar to the file extension that Buddy Ransomware uses. However, the similarity is limited to that characteristic as our analysis of the two ransomware shows that their file structures are different.
Interestingly, this ransomware creates copies of the files that it targets to encrypt before it deletes the original files. The use of disk recovery tools can recover the encrypted files, but the file size should be less than 20MB.
Some of the information that CryLocker gathers are the users’ WiFi Access Point information (Mac, SSID, SS, etc.) It also attempts to get the users’ geolocation or browser location through the Google Maps Geolocation API. It checks if the file C:\Temp\lol.txt exists and if it does, the malware does not encrypt any files. Other routines like deleting shadow copies and displaying the ransom notes are still done once the file is found. We saw this routine in the new samples (SHA1: 4bf164e49e4cb13efca041eb154aae1cf25982a8), which makes us wonder if the attackers forgot to strip the said features or source codes or if it’s really done on purpose.
It also gets the keyboard layout by calling windows API, GetKeyboardLayoutList. It then checks the system’s language identifier. It does not exhibit any ransomware-related behavior and will just exit the system if the following languages are detected:
This kind of ‘filtering’ routine was previously implemented by Andromeda bot.
Figure 6. Code snippet of the API, GetKeyboardLayoutList
Looking deeper into the threat’s C&C communications
As previously mentioned, this malware attempts to send information from the system to a specific album in Imgur. If this fails, it sends the data to pastee.org, a paste tool service similar to Pastebin. However, its server seems to be offline as of posting.
Another alternative is sending it to a certain IP address via UDP (port 4444) when sending to Imgur or Pastee does not work properly or if the data size is small.
Figure 7. The malware tries to send information from the infected system to Pastee.org
Upon checking the network traffic, the hit to pastee.org/submit and imgur.com/upload/checkcaptcha both contain a malformed user agent.
Figure 8. Network traffic showing a malformed user agent
The malware developers did not follow the proper PNG file format and header, which makes it malformed. Although the PNG file has a valid file header, it does not contain an image but the system information as ASCII strings. This tactic is different from another technique called steganography, which hides secret messages; in the case of cybercrime, hidden files or information.
Figure 9. No image can be previewed from the PNG file.
Cybercriminals commonly take advantage of the loopholes of legitimate websites and cloud services to conceal their identity and operations. Given that, it is critical for these services to strengthen their security guidelines and restriction policies. In this case, it’s recommended for image hosting services to add a step in the upload process to check if the image file type is what they really are. This means that if the PNG files are malformed, the system can identify and reject them automatically.
Trend Micro protects businesses and users from this threat by detecting the malicious file and blocking the related malicious URLs. Our solutions can block CryLocker at the exposure layer and prevent it from doing any damage. We also offer other layers of protection for endpoints, networks, and servers.
TippingPoint customers are protected from this attack with the following MainlineDV filter:
- 39144: HTTP: Ransom_Milcry.A Checkin – to be released on Sept 13, 2016
The malicious network activities of this threat can be detected via the following Deep Discovery rule:
- 2131: RIG – Exploit Kit – HTTP(Request) – Variant 3
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Related SHA1 hashes to this attack:
- d6a09353a1e4ccd7f5bc0abc401722035fabefa9 – detected as RANSOM_MILICRY.A
- 4BF164E49E4CB13EFCA041EB154AAE1CF25982A8 – detected as RANSOM_MILICRY.A
Additional analysis by Vachel Dai and Mat Powell