Blog

New Family of Ransom Locker Found, Uses TOR Hidden Service

Posted on March 21st, 2016 by Paul Kimayong

On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.

chain
Chain and RIG EK landing

 

The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is  a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.

  •  ItsMeFA
  • “version_fa”
  • fa 155 

It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used.  The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.

torrc
torrc file contents
 

After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3” and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe

This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:

  • C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

And as the usual tor execution process, the following files are created.

tor_component

 

As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.

Capture

Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility  to analyze the memory image.

Using Volatility to Find the Malware

We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.

sd_app

 

To confirm this, we list visible windows using the “wintree” command  to identify which process is responsible for the lock screen and we identified the same sd_app.exe

locker_window

 

Next, we identified the full path of the file using the process id and ‘cmdline‘ command

 sd_app_path

 

We dumped the disk and found the following list of files added.

sd_app_creation

The .bat  disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.

batfile
contents of 1.bat

 

 

In-the-Wild Samples

Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine. 

vt_hits_fa

 

The variants of sd_app are also signed but 2 of the files still have no detection. 

sd_app_vt

We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:

  • WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.

 

Conclusion

It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs”  so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters. 

Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.

Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.

IOCs

 Trojan Downloader hashes (FA)

5ed449fc2385896f8616e5cd7bee3f31

3a00058ccaee78805f539f2f6a259e92

d183ed4609e6ad7b00250c50a963db5d

6af38533fc8621128e943488a6f189ed

fb016a14ef1384ec78a284636631ab17

 

Screen Locker (SD)

29e71b864ac46bd3e2c216cce0403114

 639c62bcae61054a229ed3c79a109cc4

092b9e87bd75384df188feb2c4e402a2

e8231d2b7a04a5826a78b2908a1dd393

 

Mutex Names

ItsMeFA

ItsMeSD

 

 

 

 

 

 

Recent Posts

Categories

By Authors

Monthly Archives