Infosecurity Magazine analyzes the PhishMe Research Team’s recent examination of Upatre and Dyre.
The latest crypto malware threat – CTB-Locker – promises to be one of the most serious security threats seen in recent years. The latest crypto malware is one of many of its ilk that have emerged in the past two years. This form of malware encrypts files on victims’ computers and will not unlock them until a ransom is paid. Only then will the key to decrypt data be provided.
Crypto malware has been around for some time, although its popularity has been increasing over the past couple of years. One of the first major crypt malware variants was CryptoLocker. CryptoLocker first emerged in late 2013 and has been particularly active throughout the first half of 2014.
CryptoLocker malware was a major concern for many businesses and individuals. In June of 2014, the FBI was able to successfully disrupt CryptoLocker, along with Game Over Zeus, but according to the figures in their legal complaint against Evgeniy Bogachev, not before his malware had encrypted more than 230,000 computers, 120,000 of which were in the United States.
The second major crypto malware variant was CryptoWall. PhishMe documented 24 separate spam campaigns in Q3 that pushed CryptoWall. But that number declined sharply in quarter 4, with only 10 CryptoWall spam campaigns seen in October, only 4 in November, and none at all in December.
The latest crypto malware threat emerged today. This new wave of crypto malware is being distributed via spam email.
PhishMe detected this new threat today when spam messages were intercepted containing an attachment that appeared to be some form of faxed document. There were many variants of the spam messages including the one below:
- Fax from RAMP Industries Ltd
- [Fax server]= +07955-168045
- [Fax server] : LPY.5705BBC7.1118
- Incoming fax, NB-112420319-8448
- New incoming fax message from +07829 062999
- [Operational Support Ltd] Fax transmission=U2W9MABD921532EC5
The messages themselves contained very simple text explaining that your inbound fax was attached.
No.: +07434 20 65 74
Date: 2015/01/18 14:56:54 CST
Peter Brett Associates
The attached file used a seemingly random dictionary word. Some of the .zip files observed by PhishMe were:
Many anti-spam tools now unzip .zip attachments to check for the presence of an .exe within the compressed file. This spam attempts to avoid tripping spam filtering solutions by containing a .zip file, which also contains a .zip file, which includes an .scr file.
No two files that we reviewed had the same malware hash. One of the many ways the anti-virus industry inflates their numbers is to count each unique hash as a separate file. PhishMe prefers to refer to the malware by the campaign name. Since every .scr file was unique, we could claim that each was a new malware variant; however, that would have no meaningful value since each of these samples performs the same action and is structurally identical, if not actually identical. The only thing different in each is the hash.
The “.scr” file, which will be named with the same dictionary word as the .zip file from which it was extracted, is a downloader known as Dalexis.
Dalexis performs a similar role to the more common UPATRE malware. Its job is to covertly download additional malware, unpack it, and execute it. In this case, it does so by retrieving a file named “pack.tar.gz” from a variety of websites, such as:
- breteau-photographe.com / tmp / pack.tar.gz
- com / assets / pack.tar.gz
- asso.fr / piwigotest / pack.tar.gz
- org / histoiredesarts / pack.tar.gz
- voigt-its.de / fit / pack.tar.gz
These files are not actually .tar.gz archive files, they are copies of the latest crypto malware – CTB-Locker – which have been XOR’ed in a special way that Dalexis knows how to reverse. By passing through the network perimeter in an encoded format, the download is not scanned, since the file is not an executable or commonly known file type.
At that point, CTB-Locker takes over. CTB is an acronym for Curve Tor Bitcoin. Curve refers to the fact that the malware uses Eliptical Curve Encryption, which the author claims is the equivalent of RSA-encryption with a 3072 bit key. The first time we saw CTB being described was by the malware blogger Kaffeine back in July 2014. At that time, CTB was primarily associated with the Angler Exploit Kit.
The author of the malware announced CTB to the criminal underworld in June, with a couple interesting points.
The criminal, who uses the handle Tapkin, was offering his malware for $3,000, with a discount of 50% to the first purchaser. He also advertised that he was planning to offer his/her latest crypto malware under an affiliate model. Under such a scheme, Tapkin or another criminal would host CTB, while affiliates could earn commission by infecting people. When a ransom demand is paid, the affiliate gets a cut of the profits, as does Tapkin. It is a common online marketing tactic used by retailers. They get others to do the hard work of getting sales. The retailer gets a smaller cut of the profits, although since they get sales that they would unlikely have otherwise made, everyone is a winner.
We are not sure yet whether today’s spam will be revealed to be part of such an affiliate program, or if this is just one of Tapkin’s customers. We believe that the Angler Exploit Kit will continue to be used to deliver some forms of CTB-Locker, but expect that this will be the beginning of a long series of similar spam messages. The challenge is criminals may find the TOR network requirement to be a barrier to their efforts.
Regardless of how it is distributed, the sequence of infection with this latest crypto malware is as follows:
- After CTB has been downloaded, it encrypts files on the local machine. Many filetypes that have not been encrypted by previous Crypto Malware have been added into this latest crypto malware. Most interestingly, several extensions related to computer source code have been added. Extensions that would likely be found on a programmer’s computer.
2. Once the encryption process is completed, the Count Down Begins! There is a payment window for sending the ransom payment. Failure to pay on time will see files encrypted forever.
(2A). Choosing the “View” screen displays a list of the victim’s encrypted files.
- When the victim is ready to decrypt their files, clicking NEXT results in a request for the Private Decryption Key:
- But of course they aren’t going to give that to you for FREE!
- The only payment type accepted is BitCoin, but several helpful links are included to educate the victim on how they can buy Bitcoin. The latest crypto malware requires a substantial payment – The highest price we’ve seen in crypto malware to date. This version asks for EIGHT BitCoin, which have a current value of around $1520 USD:
- The addresses offered for contacting the criminal’s website requires the use of the TOR network. If you have TOR installed, you can use the “.onion.cab” address. If you don’t have TOR, you can use a “tor2web.org” gateway.
A more detailed analysis of this report has been provided PhishMe Intelligence subscribers. The campaign ID is #2644.
Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog. Dyre’s latest iteration shows yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.
’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.
The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.