FROM THE COMODO LABS: What’s old is new again, as that e-fax could contain CryptoLocker

January 21, 2016 | By Comodo

Since 2013, the CryptoLocker malware has been making its way across the Internet in various forms, in various iterations. CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows and is especially popular among cybercriminals for its ability to read a file, encrypts that file, overwrite the original file with the encrypted file and the demand ransom for the return of the file.

[Of note, it should be pointed out that Comodo’s containment technology protects customers from CryptoLocker, highlighted in a blog post back in 2013: https://blog.comodo.com/it-security/cryptolocker-virus-best-practices-to-ensure-100-immunity/]

Since CryptoLocker remains popular as the malware has evolved, the methods to evade security software has evolved as well, with new techniques being introduced by cyberthieves daily.

Enter the fax.

The engineers from the Comodo Threat Research Labs have discovered a recent phishing attack sending random emails to businesses and consumers across the globe with attachments marked as a fax.

The subject of the email is “You have new fax, document 00359970” and the content of the email is just a regular fax message (or so it seems)

A screen grab of the “fax” phishing emails is below.

What makes this new malware strain unique is that it is actually a two-part malware system that runs both an executable file and a batch file running together. According to the engineers at Comodo, the scripts are broken down into separate executable making the size of the encrypting executable less than 3KB – which allows the file size to pass through many security layers.

The original script does not terminate after downloading the encrypter, it continues the execution and also creates a batch file, and launches CryptoLocker.

The malicious behavior comes in the next step, and only shows itself with combination of both the executable and a batch file which is created in run time.

Using the fax or e-fax tagline, makes people both open the email and then click on the attachment to view the fax.

The Comodo Threat Research Lab team identified this phishing email campaign through IP, domain and URL analysis.

“This type of new malware strain is innovative – taking some simple programing ideas and combining them with negative intentions.  These cybercriminals are clearly dedicating a large amount of testing, research, analysis and programing to make it happen,” said Fatih Orhan, Comodo’s Director of Technology and lead for the Comodo Threat Research Lab. “Taking an older technology idea like the e-fax and using it with an updated code and malware strain like CryptoLocker is bringing two schools of thought together. The cybercriminals are continuing to try and take advantage of businesses and consumers so the word of caution to the public is beware of what you click on in an email like this – it may come with serious consequences.”

The Comodo Threat Research Labs team is made up of more than 40 IT security professionals, ethical hackers, computer scientists and engineers, all full time Comodo employees, analyzing and filtering spam, phishing and malware from across the globe. With offices in the U.S., Turkey, Ukraine, the Philippines and India, the team analyzes more than 1 million potential pieces of phishing, spam or other malicious/unwanted emails per day, using the insights and findings to secure and protect its current customer base and the at-large public, enterprise and Internet community.

If you feel your company’s IT environment is under attack from phishing, malware, spyware or cyberattacks, contact the security consultants at Comodo: https://enterprise.comodo.com/contact-us.php

A screen grab of the malicious email has been captured below:

eFax Cryptolocker

For the System Administrator and IT Directors, details on how the malware works are below:

The tricky part of the story for this phishing email lies inside the decoded. This script tries to download a file from one of “www.foulmouthedcatlady.com, kashfianlaw.com, totalpraisetrax.com” and save it under %temp% as 770646_crypt.exe (so for each user, it is something like C:/ Users/yourusername/AppData/Local/Temp/ and 770646 is just a random number).

The interesting part is that the downloaded executable file is not executed directly, because it is not a malware file by itself. It is just an executable that is used to perform encryption, and does not have anything else inside. And that makes it also exceptional because the size of the file is just 2560 bytes (less than 3KB!!!). The decompiled code contains merely 40-50 lines of code. This file may bypass through many security filters in different levels of network.

So, if this file is not malware, and just a encrypter, what’s the malicious behavior? The original script (not the exactly first script, but de-obfuscated one) does not terminate after downloading the encrypter. It continues its execution and also creates another batch file. It names this new batch file as 770646_tree.cmd and saves it under the same directory (%temp%). In fact this batch file, is the actual source of malicious behavior. It first looks through all the drives (checks the whole alphabet from A to Z), and searches for each directory in each drive, traverses all of the children directories, and finds document files, pdfs, archive files, source codes, multimedia data, configuration files, drawing files and many other file types.

The list of file types it is searching is more than 70, including (but not limited to):

*.zip *.rar *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.jpg *.tif *.avi *.mpg etc…

When a file matching one of these extensions is found, the encrypter (the downloaded executable) is executed for that file. The encrypter does not change the file extension or anything else, it just encrypts the content and leaves the file. After the encryption of all files in all folders and all drives are finished, the encrypter file is deleted by the batch file.

The batch file, then creates a Readme file also (named as 770646_readme.txt), and writes the following text in it:

ATTENTION:

All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key.

To restore your files you have to pay 0.5 BTC (bitcoins). To do this:

1. Create Bitcoin wallet here:

https://blockchain.info/wallet/new

2. Buy 0.5 BTC with cash, using search here:

https://localbitcoins.com/buy_bitcoins

3. Send 0.5 BTC to this Bitcoin address:

1CWG5JHDZqHPF1W8sAnUw9vD8xsBcNZavJ

4. Send any e-mail to:

keybtc@inbox.com

After that you will receive e-mail with detailed instructions how to restore your files.

Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc.

Your files will be decrypted as quick as you make payment.

It first open this file in notepad editor, then also copies this file in the user’s desktop as a new file named DECRYPT_YOUR_FILES.txt . The batch file also adds an entry into registry for an autorun in startup of Windows, that shows the same readme message when the computer first opens. Lastly, the batch file deletes itself also.

Summary from the Comodo engineers:

As it can be seen from the analysis, the goal of encrypting files is regular, and known by all security experts. But the selected method to infiltrate and exhibit the encryption behavior here is different as the downloaded executable is not malicious by itself, and performs only part of the total goal. The other part, is performed by a batch script, which is created in runtime (so doesn’t exist at the beginning). The combination of both files execution creates the final malicious intent, which is encrypting all files. This method may sureley bypass some of the security filters and products, due to two factors:

  1. the content, and size of the executable being to low (less than 3KB), and not eventually containing a malicious behavior.
  2. The malicious behavior is shown only with the combination of both the executable and a batch file together which is created in runtime.

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>