On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.
The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.
- fa 155
It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used. The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.
After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3″ and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe
This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:
- C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc
And as the usual tor execution process, the following files are created.
As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.
Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility to analyze the memory image.
Using Volatility to Find the Malware
We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.
To confirm this, we list visible windows using the “wintree” command to identify which process is responsible for the lock screen and we identified the same sd_app.exe.
Next, we identified the full path of the file using the process id and ‘cmdline‘ command
We dumped the disk and found the following list of files added.
The .bat disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.
Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine.
The variants of sd_app are also signed but 2 of the files still have no detection.
We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:
- WIN32-VS-x32-RELEASE-Feb 1 2016-15:33:48 v.0.01a-154d
The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.
It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs” so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters.
Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.
Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.
Trojan Downloader hashes (FA)
Screen Locker (SD)