Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Since 2013, the CryptoLocker malware has been making its way across the Internet in various forms, in various iterations. CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows and is especially popular among cybercriminals for its ability to read a file, encrypts that file, overwrite the original file with the encrypted file and the demand ransom for the return of the file.
[Of note, it should be pointed out that Comodo’s containment technology protects customers from CryptoLocker, highlighted in a blog post back in 2013: https://blog.comodo.com/it-security/cryptolocker-virus-best-practices-to-ensure-100-immunity/]
Since CryptoLocker remains popular as the malware has evolved, the methods to evade security software has evolved as well, with new techniques being introduced by cyberthieves daily.
Enter the fax.
The engineers from the Comodo Threat Research Labs have discovered a recent phishing attack sending random emails to businesses and consumers across the globe with attachments marked as a fax.
The subject of the email is “You have new fax, document 00359970” and the content of the email is just a regular fax message (or so it seems)
A screen grab of the “fax” phishing emails is below.
What makes this new malware strain unique is that it is actually a two-part malware system that runs both an executable file and a batch file running together. According to the engineers at Comodo, the scripts are broken down into separate executable making the size of the encrypting executable less than 3KB – which allows the file size to pass through many security layers.
The original script does not terminate after downloading the encrypter, it continues the execution and also creates a batch file, and launches CryptoLocker.
The malicious behavior comes in the next step, and only shows itself with combination of both the executable and a batch file which is created in run time.
Using the fax or e-fax tagline, makes people both open the email and then click on the attachment to view the fax.
The Comodo Threat Research Lab team identified this phishing email campaign through IP, domain and URL analysis.
“This type of new malware strain is innovative – taking some simple programing ideas and combining them with negative intentions. These cybercriminals are clearly dedicating a large amount of testing, research, analysis and programing to make it happen,” said Fatih Orhan, Comodo’s Director of Technology and lead for the Comodo Threat Research Lab. “Taking an older technology idea like the e-fax and using it with an updated code and malware strain like CryptoLocker is bringing two schools of thought together. The cybercriminals are continuing to try and take advantage of businesses and consumers so the word of caution to the public is beware of what you click on in an email like this – it may come with serious consequences.”
The Comodo Threat Research Labs team is made up of more than 40 IT security professionals, ethical hackers, computer scientists and engineers, all full time Comodo employees, analyzing and filtering spam, phishing and malware from across the globe. With offices in the U.S., Turkey, Ukraine, the Philippines and India, the team analyzes more than 1 million potential pieces of phishing, spam or other malicious/unwanted emails per day, using the insights and findings to secure and protect its current customer base and the at-large public, enterprise and Internet community.
If you feel your company’s IT environment is under attack from phishing, malware, spyware or cyberattacks, contact the security consultants at Comodo: https://enterprise.comodo.com/contact-us.php
A screen grab of the malicious email has been captured below:
For the System Administrator and IT Directors, details on how the malware works are below:
The tricky part of the story for this phishing email lies inside the decoded. This script tries to download a file from one of “www.foulmouthedcatlady.com, kashfianlaw.com, totalpraisetrax.com” and save it under %temp% as 770646_crypt.exe (so for each user, it is something like C:/ Users/yourusername/AppData/Local/Temp/ and 770646 is just a random number).
The interesting part is that the downloaded executable file is not executed directly, because it is not a malware file by itself. It is just an executable that is used to perform encryption, and does not have anything else inside. And that makes it also exceptional because the size of the file is just 2560 bytes (less than 3KB!!!). The decompiled code contains merely 40-50 lines of code. This file may bypass through many security filters in different levels of network.
So, if this file is not malware, and just a encrypter, what’s the malicious behavior? The original script (not the exactly first script, but de-obfuscated one) does not terminate after downloading the encrypter. It continues its execution and also creates another batch file. It names this new batch file as 770646_tree.cmd and saves it under the same directory (%temp%). In fact this batch file, is the actual source of malicious behavior. It first looks through all the drives (checks the whole alphabet from A to Z), and searches for each directory in each drive, traverses all of the children directories, and finds document files, pdfs, archive files, source codes, multimedia data, configuration files, drawing files and many other file types.
The list of file types it is searching is more than 70, including (but not limited to):
*.zip *.rar *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.jpg *.tif *.avi *.mpg etc…
When a file matching one of these extensions is found, the encrypter (the downloaded executable) is executed for that file. The encrypter does not change the file extension or anything else, it just encrypts the content and leaves the file. After the encryption of all files in all folders and all drives are finished, the encrypter file is deleted by the batch file.
The batch file, then creates a Readme file also (named as 770646_readme.txt), and writes the following text in it:
ATTENTION:
All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.5 BTC (bitcoins). To do this:
1. Create Bitcoin wallet here:
https://blockchain.info/wallet/new
2. Buy 0.5 BTC with cash, using search here:
https://localbitcoins.com/buy_bitcoins
3. Send 0.5 BTC to this Bitcoin address:
1CWG5JHDZqHPF1W8sAnUw9vD8xsBcNZavJ
4. Send any e-mail to:
keybtc@inbox.com
After that you will receive e-mail with detailed instructions how to restore your files.
Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
Your files will be decrypted as quick as you make payment.
It first open this file in notepad editor, then also copies this file in the user’s desktop as a new file named DECRYPT_YOUR_FILES.txt . The batch file also adds an entry into registry for an autorun in startup of Windows, that shows the same readme message when the computer first opens. Lastly, the batch file deletes itself also.
Summary from the Comodo engineers:
As it can be seen from the analysis, the goal of encrypting files is regular, and known by all security experts. But the selected method to infiltrate and exhibit the encryption behavior here is different as the downloaded executable is not malicious by itself, and performs only part of the total goal. The other part, is performed by a batch script, which is created in runtime (so doesn’t exist at the beginning). The combination of both files execution creates the final malicious intent, which is encrypting all files. This method may sureley bypass some of the security filters and products, due to two factors:
Tags: comodo,malware,ransomware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats