This infection, like other malvertising drive-by infections, have the capability to infect unsuspecting victims through no fault of their own. Simply visiting the website without clicking anything may get the victim’s computer infected.

In this blog we will briefly analyze the infection chain.

Infection chain analysis :

Following is the overview of the infection cycle from Teeper.com to exploit kit landing page.

Infection chain

 

Here, you can see the post infection traffic after successful compromise.

Landingpage_new

 

After successful de-obfuscation, we found out that Angler is carrying multiple Flash, Silverlight and IE exploits. In the above mentioned infection chain, the exploit kit has successfully compromised our test machine with IE exploit with CVE-2014-6332. The VBscript exploit code was hidden very deep inside the exploit kit’s landing page. The following screenshot shows the VBscript snippet which is triggering the vulnerability in IE. This exploit is very reliable and can successfully compromise IE3 to IE 11.

CVE--2014-6332

After browser exploitation, Angler further drops Bedep malware which will further download and infect the victim’s machine with CryptXXX ransomware.

CryptXXX Ransomware analysis:

We have observed that, this ransomware downloaded and installed by bedep in the following directory :

  • %APPDATA%\Local\Temp\{Randomly Generated GUID}\api-ms-win-system-{random system dll name}-l1-1-0.dll

Example:

  • %APPDATA%\Local/Temp/{6318FCD6-6242-4594-AACB-XXX4FBB03C99}/api-ms-win-system-dbghelp-l1-1-0.dll

Following screenshots shows how Ransomware changes wallpaper with the ransom message and asks victim to start collecting BITCOINS.

Page_1

 

Ransomware also adds the following files in the same folder of the encrypted files.

 

  • de_crypt_readme.txt
  • de_crypt_readme.bmp
  • de_crypt_readme.html

CryptXXX ransomware encrypts all the file with following extensions and replace all file’s extension  with “.crypt”.

.3dm

.cmd

.fla

.ldf

.otg

.ps

.sxi

.wsf

.3ds

.cpp

.flv

.lua

.otp

.psd

.sxm

.xcodeproj

.3g2

.crt

.frm

.m

.ots

.pspimage

.sxw

.xhtml

.3gp

.cs

.gadget

.m3u

.ott

.py

.tar

.xlc

.7z

.csr

.gbk

.m4a

.p12

.qcow2

.tbk

.xl

.accdb

.css

.gbr

.m4v

.pages

.ra

.tex

.xlr

.aes

.csv

.ged

.max

.paq

.rar

.tga

.xls

.ai

.cue

.gif

.mdb

.pas

.raw

.tgz

.xlsb

.aif

.db

.gpg

.mdf

.pct

.rm

.thm

.xlsm

.apk

.dbf

.gpx

.mfd

.pdb

.rss

.tif

.xlsx

.app

.dch

.gz

.mid

.pdf

.rtf

.tiff

.xlt

.arc

.dcu

.h

.mkv

.pem

.sch

.tlb

.xltm

.asc

.dds

.htm

.mml

.php

.sdf

.tmp

.xltx

.asf

.dif

.html

.mov

.pif

.sh

.txt

.xlw

.asm

.dip

.hwp

.mp3

.pl

.sitx

.uop

.xml

.asp

.djv

.ibd

.mp4

.plugin

.sldx

.uot

.yuv

.aspx

.djvu

.ibooks

.mpa

.png

.slk

.vb

.zip

.asx

.doc

.iff

.mpg

.pot

.sln

.vbs

.zipx

.avi

.docb

.indd

.ms11

.potm

.sql

.vcf

 

.bat

.docm

.jar

.msi

.potx

.sqlite3

.vcxproj

 

.bmp

.docx

.java

.myd

.ppam

.sqlitedb

.vdi

 

.brd

.dot

.jks

.myi

.pps

.srt

.vmdk

 

.bz2

.dotm

.jpg

.nef

.ppsm

.stc

.vmx

 

.c

.dotx

.js

.note

.ppsx

.std

.vob

 

.cer

.dtd

.jsp

.obj

.ppt

.sti

.wav

 

.cfg

.dwg

.key

.odb

.pptm

.stw

.wks

 

.cfm

.dxf

.kml

.odg

.pptx

.svg

.wma

 

.cgi

.eml

.kmz

.odp

.prf

.swf

.wmv

 

.cgm

.eps

.lay

.ods

.priv

.sxc

.wpd

 

.class

.fdb

.lay6

.odt

.private

.sxd

.wps

 

 

Ransomware C&C :

It contacts its CnC via port 443 which adds a layer of anonymity.

  • CnC IP: 217.23.6.40

Pony Info Stealer :

This malware steals victim’s credentials from popular FTP, MAIL, and IM applications. It also steals information from browsers Google Chrome User Data and bitcoin by searching for strings in the following file-names:

  • WALLET
  • _WALLET
  • .WALLET

We have also observed that, it terminates the following cryptocurrency applications :

  • bitcoin-qt.exe
  • litecoin-gt.exe
  • msigna.exe
  • Copay.exe

We have seen this CryptXXX activity since April 13, 2016 using the same delivery method, Angler-Bedep infection. At that time, we saw Bedep to download Vawtrak, Pony Stealer and CryptXXX malware but recently the activity has been Bedep-CryptXXX only. It appears that the actors have shifted their mood to ransomware and combined the Pony info-stealer functionalities into one single malware.

Conclusion :

It is clear that ransomware is on the rise this year. It is important for internet surfers to keep their software always up to date with the latest patches to minimize the surface of attack. Additionally, it is advisable to regularly backup your computer, or your most important files.

Big thanks to Paul Kimayong for his help with the malware analysis.