Saturday, October 14, 2017

Notes on Sage 2.2 ransomware version


Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.

There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".

Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2

Sage 2.2 appears to have been out for a while, at least since February of this year:


Some figures of Sage 2.2 follow below:

Figure 1 - Sage 2.2 desktop background



Figure 2 - Sage 2.2 file recovery instructions

The message reads:

You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.

Typical features of Sage 2.2, include, but are not limited to:

  • Refresh or update of payment pages is possible;
  • Ransom note (!HELP_SOS) and portal, including CAPTCHA;
And...

It speaks! Just like Cerber did at some point, Sage 2.2 has a message for the victim using Microsoft SAPI:

Figure 3 - VBscript which will speak to the victim (click to enlarge)

Interestingly enough, even though the version number still indicates 2.2, there's at least one slight change:
  • Deletion or purge of backup catalog/history by using:
    wbadmin delete catalog -quiet

The portal or decryption pages look as follows, stepping through:

Figure 4 - Sage 2.2 user login portal


Figure 5 - Captcha

Figure 6 - Language selection


Figure 7 - Final portal

The victim can choose from a multitude of languages, and, at the final portal, there is a special prize for the decryption, for a selected time (7 days): currently 0.17720 BTC, which is about $1000.

As usual, there's a Payment, Test decryption, Instructions, and even a Support tab:

Figure 8 - Payment tab
Figure 9 - Test Decryption tab

Figure 10 - Instructions tab


Figure 11 - Support requests tab




Sage 2.2 will append the .sage extension to encrypted files and currently, it does not appear files can be decrypted without the cybercriminal's help.

As always, try to restore from a backup if possible, and avoid paying the ransom.

Additionally, have a look at my ransomware prevention page, on how to protect yourself.



IOCs

Wednesday, October 11, 2017

Rick and Morty episode? Nope, another CoinMiner


Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.

A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!

In fact, this file is a self-extracting and password-protected archive which contains two other files:

Figure 1 - two new files in the archive

One file is indeed a legitimate video file, which features the following:

Figure 2 - clip

This short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.

Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.

In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:

Figure 3 - Passwords, and cryptominer pool (click to enlarge)

The line of interest is as follows, in where the IP points to a US server:

START "{1}" /B /WAIT /LOW "%ALLUSERSPROFILE%\{1}\{1}.exe" -o 173.44.42.189:8080 -u off.x -p off.x -k --nicehash -o us-east.cryptonight-hub.miningpoolhub.com:17024 -u off.y -p off.y -k -v 0 --donate-level 1 -B

Basically, this is yet another cryptominer or coinminer. This one is rather interesting, for several reasons. If you'd like to know more, feel free to have a play around with the files, they are included as IOCs at the end of this post.



Disinfection

If you've been hit by this, then...:


  • Navigate to C:\ProgramData or %ALLUSERSPROFILE%
  • Search for a folder with random names. If you don't see any, you may want to follow the instructions here. Delete said folder, if possible. If not possible:
  • Open Task Manager, and search for any process with a random name. End the process and repeat step 1 to 2.
  • Perform a scan with your installed antivirus product.
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
You may also leave a comment should any difficulties arise.



Prevention

  • Install an antivirus (free or not).
  • Enable showing file extensions. This is hidden by default by Windows, and will enable you to see if that 'video' is indeed a video, or not. Guide here.
  • Do not download any torrents or at least try to avoid those that are either suspicious-looking, or too good to be true.


Conclusion

Coinminers have been on the rise for a while now, and illegitimately use a person's machine for mining, which may additionally lead to an increased (and undesired) CPU usage.

While coinminers for now are relatively less dangerous than what's usually out there, for example banking trojans, it should not be underestimated - and the sample analysed in this post proves the point, as it employed some rather unique, or at least varied, techniques.

It is likely safe to assume that not only the malicious use of coinminers will increase, but also that other malware may jump aboard - attempting to maximize profits (or vice versa, a coinminer with added persistence or other malware on board). The latter has already been observed, for example, in AdylKuzz.




IOCs

Wednesday, September 20, 2017

Malicious ad/click networks: common or forgotten threat?


Introduction

Malicious ad/click networks and ad fraud are not entirely a new phenomenon, but it is important to realize the kind of threat it may pose. Is it a common, or forgotten threat? Maybe both.

In this blog post, we'll take a look at how a seemingly innocuous click network and advertiser, is actually showing some rather malicious behavior.



The beginning

It all starts with the following redirect:

Figure 1 - .js download

A 'critical Firefox update' needs to be downloaded and run, with the resulting file having multiple layers of obfuscation. After deobfuscating 2 layers, we get the following:


Figure 2 - malicious script

The script will attempt to download an .flv file from ohchivsevmeste5[.]com, with additional parameters. While I was unable to reproduce what happened afterwards at time of writing, it would likely fetch another heavily obfuscated JavaScript, for clickjacking purposes (and this behaviour can also be deduced from Figure 1, as it persists in the browser).

Clickjacking is not an uncommon phenomenon unfortunately, and is described by Wikipedia as:

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Basically, what you see is not what you get. In this case, a Firefox update is anything but said update.



The persona

The domain mentioned in figure 2 is hosted on 192.129.215[.]157, which has a ton of other domains, with most of them appearing random. One of these domains is aiwohblackhatx[.]org, which is registered to a person with email address of abdelrahman.a.y.127@gmail[.]com.

This email address is linked to a Facebook page, mltaqaalwza2f2, which claims to be a jobseeker website:

Advertisements for newspapers, newspapers and websites The largest site jobs on Facebook for Jordanians only

Until recently, that page listed a contact email address as ADMIN@ULTIMATECLIXX[.]COM. This has now been changed, and unfortunately I was unable to take a screen capture at that time.

Ultimateclixx sports a flashing website, promising instant payment:

Figure 3 - Ultimateclixx website (at time of writing)

Passive DNS data reveals that the email address mentioned above, has links to other domains, and in particular to a person or persona called 'Mohammed Farajalla'. This persona has multiple email addresses set up, all pointing to click networks:

Figure 4 - Persona (click to enhance)

This initially lead me to believe that Abdelrahman and Mohammed are the same person, and is simply an alias. However, WhoIs data from another domain, aifomtomyam69[.]org, reveals a person named 'Abdelrahman Farajallah' as domain owner.

Brothers?

Figure 5 - Ultimateclix admin forum post (click to enhanceà

Brothers or not, it seems that Mohammed is the 'public face' of the company, and Abdelrahman works in the background, registering domains. A well-oiled business scheme, apparently.

In Figure 5 above, you can see a specific post from 'mhmadfarajalla', hereafter referred to as Mohammed, explaining how he joined Goldenclixx from 2013 onwards, and made quite some investments. This reply was motivated by a user questioning their legitimacy:

Figure 6 - concerns in regards to the Ultimateclixx admin (click to enhance)

This was posted in 2015 on the eMoneySpace forum, which is a website created to 'promote or talk about internet money related subjects'. Basically, how to earn money online using ads, which is completely legal.

Link to topic can be found here:
https://www.emoneyspace.com/forum/index.php?topic=361872.0

I've also set up a mirror here: https://web.archive.org/web/20170918213144/https://www.emoneyspace.com/forum/index.php?topic=361872.0


It appears Abdelrahman and Mohammed have been involved in this scheme for a prolonged period of time. While they may have initially started their project or business as a legitimate way to make money, this has definitely shifted. They are likely located in Palestine. (see also his/their Twitter account, and make your own deductions.)



The infrastructure

Earlier, I mentioned that domains involved seemed random. Have a look at these domains:

aidixhurricane[.]net
aifomtomyam69[.]org
aingucareersearchings[.]com
aiteobutigim[.]net
aiwohblackhatx[.]org

Notice anything particular? If not, what about the following domains? (includes our initial example)

ohchivsevmeste5[.]com
ohighzapiska[.]org
ohlahlukoil[.]org
ohmuogoodlacksha[.]com
ohseltelists[.]org

To clarify, the 2 first characters are the same for a whole set of domains, while the rest does appear to be (at least semi-)random. Just as a visual aid, here are a few other domains:

vaewedashrecipes[.]net
vahfebankofamerica[.]net

iechow3blog[.]org
iefaxshoeboxapp[.]net
iegiwrealarcade[.]org
iehohclock-world[.]org
iengeluxauto[.]com
ieweimz16[.]org
ieyonthesubfactory[.]net

You may have noticed vahfebankofamerica[.]net in there, it is relatively newly registered (2017-09-12), by a 'Megan Quinn', with email address of qum65@binkmail[.]com. I doubt an actual Ms. Quinn would use this email address. It may try to convince users of its legitimacy, alluding it is part of Bank of America's website. However, nothing could be further from the truth.

Interestingly enough, the domain has hosted a JavaScript at least once, with a familiar pattern:
https://vahfebankofamerica[.]net/3558451080485/150526622449473/firefox-patch[.]js

No doubt this website would also prompt you to download a 'critical security update'. Do I hear redirects mixed with ad or click-fraud and clickjacking? Who doesn't love the smell of that in the morning?

You would not have guessed, but a lot of email addresses seem randomly generated, as well as their personas. Another example includes:

Figure 7 - ohchivsevmeste5[.]com WhoIs info

Everything in the WhoIs info is fake. Not to say an Allan Yates doesn't exist, but he has nothing to do with any of this - rather he was just unlucky. This may have been the result of a 'fake name generator'.

We now have several IP's hosting a bunch of semi-random domains, set up for redirects, ads and likely clickjacking. The initial research started with 192.129.215[.]157, and expanded to/had links to 192.129.215[.]155.

Of course, I decided to take a look at 192.129.215[.]156. Surprise! It turns out it's just as bad. Maybe we should just block the whole 192.129.215.0/24 subnet?

Some more takeaways from the infrastructure - most of the domains are or have:

  • WhoIs Guard Privacy Protection/Privacy Protect:DomainsByProxy;
  • Behind CloudFlare;
  • A valid SSL cert, issued by Comodo.



What else is there?

Earlier, Mohammed boasted in his forum post about adzbazar.com, one of his new websites, and absolutely 'no ponzi scheme strategy'.

Some of the related websites provided by Mohammed are:

Figure 8 - adzbazar[.]com

Figure 9 - clikerz[.]net

I think you can start seeing a pattern here.

Circling back, with our email address abdelrahman.a.y.127@gmail[.]com, I noticed another registered domain, adz2you[.]com. You could zay zomeone likez the letter Z. Either way, using PassiveTotal's host pair functionality, we can find a hostpair with gptplanet. Gptplanet claims to:

Earn money by completing simple tasks online. Everyone can join, it’s absolutely FREE!
As far as I could see, this claim is indeed legit. As far as Mohammed and all his domains go: it didn't take me too long to dig up a forum post with an on-the-point title:
SCAM LEXIADZ ADZBAZAR

Link to topic can be found here:
http://www.gptplanet.com/forum.php?topic=18119

I've also set up a mirror here:
https://web.archive.org/web/20170920001823/http://www.gptplanet.com/forum.php?topic=18119

The topic on gptplanet also references to eMoneySpace, a forum mentioned earlier, and specifically, several topics are set up about 'referral' websites our dear friend Mohammed has set up.

One user made an excellent remark:

It comes to my realize for a whole year now, is that some people are implementing some malicious scripts onto their advertised ad for a user to click on it.

Nail, head, hitting it. It seems that Mohammed isn't done yet however with both scamming people, and infecting users:

Figure 10 - Offers4all invitation

There is also mention of another person, 'Agony'. This nickname may refer to Abdelrahman.



Prevention

Prevention in this case is rather short, so here goes:


  • Install an antivirus;
  • Keep your browser up-to-date;
  • Install NoScript if you have Firefox;
  • Install a 'well-rounded' ad-blocker, for example uBlock Origin (works with most browsers).

And, where possible, browse the internet with caution.

Note that the campaign on 192.129.215[.]157 remains highly active, and as such, it is recommended to block or blacklist it, as well as the other domains and IPs, provided at the end of this blog post.



Disinfection

When you get a prompt for download or running a 'Firefox patch' similar to above, or any other pop-ups for that matter - where you not instantiated a download yourself - cancel the download or, if not possible, kill your browser's process. This can be done via Task Manager for example.

While I haven't seen any evidence of other malicious behaviour besides ad, click-fraud and clickjacking, it is recommended to:


  • Uninstall and reinstall your current browser, along with its extensions;
  • Perform a full scan with your installed antivirus product;
  • Perform a full scan with another, online, antivirus product, or with Malwarebytes;
  • Change your passwords.


Additionally, you may check in your firewall or proxy logs, if there was any connection at some point with any of the domains or IPs provided in the Indicators OCompromise section below.



Conclusion

Ad fraud, clickjacking, ad networks, .... There are tons of similar networks out there. While ad networks are usually not malicious, other possibilities exist , such as:


  • An ad network is compromised;
  • An ad is compromised;
  • The ad network is malicious in itself.
Probably, at some point, there should be better security controls for ad networks, in order to prevent an attack or campaign such as the one described in this blog post. Proper security hygiene is necessary for the ad networks, but just as well for any website that serves up ads.

Clickjacking is a common and a very real threat. Are you watching your logs and acting on them?


IOCs

Thursday, August 24, 2017

Crystal Finance Millennium used to spread malware


Earlier today, Costin from Kaspersky tweeded the following intriguing tweet:



After some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed, and provide minimal background.


Introduction

Crystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website exist online.

Figure 1 - "At this moment the site is blocked by the hosting administrator"

From the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.


Figure 2 - archived webpage of CFM's services


Moving on to the malware present on their website:


Smoke Loader

Smoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading other malware - a downloader. 

Smoke Loader was originally downloaded from:
hXXp://cfm.com[.]ua/awstats/load.exe         

Additionally, it was also mirrored at:
hXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe

Smoke Loader drops itself in a random directory inside the user's %appdata% folder, for example:
\AppData\Roaming\Microsoft\sfujsddu\

Additionally, it performs an HTTP POST request to the following domains:
contsernmayakinternacional[.]ru
soyuzinformaciiimexanikiops[.]com
kantslerinborisinafrolova[.]ru

SmokeLoader has a debug path which is likely fake, or automatically generated:
c:\backward\inch\enumeration\Atmel\neces.pdb

We won't go any further into Smoke Loader here, but there's an excellent blog post by @hasherazade over at Malwarebytes here:
Smoke Loader – downloader with a smokescreen still alive



Chthonic

Chthonic is a banking trojan and derivative of Zeus, well-known banking malware. Zeus, also known as Zbot, was leaked several years ago and has since then spawned multiple new, and often improved, banking trojans.

Chthonic uses a custom encryptor and, as a result, its payload hash will differ every time.

It was observed as a dropper from the following websites:
hXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe

hXXp://crystalmind[.]ru/versionmaster/nova/load.exe         

Additionally, it drops its payload into the user's %appdata% folder; for example:
\AppData\Roaming\Microsoft\MicrosoftStart.exe

While Smoke Loader employs totally random filenames, Chthonic tries to hide by looking like a legitimate program.

It performs an HTTP POST request to the following domain:
nolovenolivethiiswarinworld[.]com

Interestingly enough, Chthonic was spotted in June targeting a government institution in Ukraine:
Chthonic Trojan is back in nation-state cyberattack against Ukraine

Whoever's behind this Chthonic campaign however, has a sense of humour by sporting the following debug path: C:\postmaster\merge\Peasants\Billy.pdb

Chthonicwill also create a simple batch file which goes through a loop and will delete the dropper and the batch file once it has installed the payload.


PSCrypt

PSCrypt, which is based on GlobeImposter, another ransomware variant, has been hitting Ukraine in the past:
https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/

Interestingly enough, the same PSCrypt campaign was spotted earlier this month by @malwarehunterteam:



This tweet suggests the attacks started as early as the 14th of August.

PSCrypt was originally downloaded from:
hXXp://cfm.com[.]ua/awstats/wload.exe         

PSCrypt will encrypt files and append an extension of .pscrypt - in order to restore your files, which asks for 3500 Hryvnia (~ EUR 115):

Figure 3 - PSCrypt ransom message
PSCrypt provides a fully detailed ransom message on how to send bitcoins to the cybercriminal, as well as a personal ID ("Ваш личный идентификатор").

Additionally, PSCrypt will remove RDP related files and registry keys, likely to prevent an administrator to clean an infected machine remotely. It will also clear all event logs using wevtutil:

Figure 4 - Batch file which goes through commands in sequential order


Whoever's behind this PSCrypt campaign also shows sign of humour, indicating an address in the US, pointing to a company called "Unlock files LLC". Such company does not exist:

Figure 5 - Unlock files LLC address


Figure 6 - Companies at the same address

Unfortunately, the Bitcoin address shows a history of already paid ransoms, dating back to the 15th of August: 1Gb4Pk85VKYngfDPy3X2tjYfzvU62oL

At time of writing, a total of 0.0924071 has been received, which is around EUR 328.

Since the first payment was on the 15th of August, this supports the theory of CFM's website being compromised at least before or on the 15th, quite possibly the 14th.

The general recommendation is to NOT pay, but rather restore files from a backup.



Conclusion

While Crystal Finance Millenium's website was hacked, it's possible its software was not affected. In the mean time, I'd advise to not upgrade or update any software belonging to the company, but rather wait for an official statement from their side.

The hacking of a company or personal website can always happen, and as such, it is important to act fast once it's happened - the (hosting) company did the right thing to take the website offline while things are being fixed in the background.

The bigger question here is if it may be a targeted attack - recently, Ukraine has been targeted heavily by not only EternalPetya (also known as NotPetya), but also by Xdata and PSCrypt. Additionally, seemingly targeted attacks had Chthonic as payload, and, as reported in this blog post, another software company in Ukraine has been compromised.

As usual, best is to wait until further data is available before making any judgments.

Prevention advise for ransomware can be found on my dedicated page about ranomware prevention:
https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html

And, as always, indicators of compromise (IOCs) can be found below, as well as additional resources.



IOCs



Resources

New Cyberattack wave is launched using officialweb site of the accounting software developer«Crystal Finance Millennium» (PDF)
“Crystal Attack” analysis – behavior analysis of the “load.exe” sample (PDF)



Wednesday, July 19, 2017

The purpose of ransomware


Ransomware, a phenomenon now very well known, serves one ultimate and obvious purpose:

  • Monetary gain for the cybercriminal(s).

However, multiple scenario's are, in fact, possible. Consider any and all of the following:

  • Deployed as ransomware, extortion;
  • Deployed as smokescreen;
  • Deployed to cause frustration;
  • Deployed out of frustration;
  • Deployed as a cover-up;
  • Deployed as a penetration test or user awareness training;
  • Deployed as a means of disruption and/or destruction.


Let's go over all of these briefly:


Deployed as ransomware, extortion

This has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s).

In fact, ransomware is simple extortion, but via digital means.

I could give 100s, if not 1000s of links as example, but this search query should suffice and show the current boom or trend in the cybercriminal landscape:
https://www.bleepingcomputer.com/search/?q=ransomware



Deployed as smokescreen

A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself.

This may happen more than you think and begs the question - what is the real purpose here?

Ransomware is obvious: files are encrypted, warning or extortion messages are scattered, and users as well as companies are unable to proceed working for days, depending on backup and recovery strategy.

Once you're hit by ransomware, more than 1 alarm bell should start ringing - you are royally compromised and, as such, should take appropriate measures immediately. There may be more than meets the eye.

There's an article on Carnal0wnage, describing one of these events:
http://carnal0wnage.attackresearch.com/2016/03/apt-ransomware.html



Deployed to cause frustration

Another possible angle that goes hand in hand with the classic extortion scheme - deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose.

A notorious example of this is the Jigsaw ransomware:
https://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/

Another example may be to send ransomware 'as a joke' to your friends, and giving them a bad time. Don't.

In a related example; a victim of a tech support scam tricked the scammer into installing ransomware:
https://nakedsecurity.sophos.com/2016/08/15/tech-support-scammer-tricked-into-installing-ransomware/


Deployed out of frustration

Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled.

Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware.

Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company.

Darryl from Kahu Security has written an excellent article on the former occurrence:



Deployed as a cover-up

This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation.

The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost. 

Another possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.

Again, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'.

There are some statistics referring to this as well, in a report by SentinelOne:



Deployed as a penetration test or user awareness training

Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose.

An example is given by Malwarehunterteam, where KBC Group employed a phishing test, and consequently 'ransomware', meant as user awareness training:

This is a very good idea for any organisation or business in general. Are your users aware of the dangers that lie in, and beyond ransomware?



Deployed as a means of disruption and/or destruction

Last but not least -  while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.

Again, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale.

A recent and notorious example of such an attack is the latest Petya variant, also referred to as EternalPetya, or NotPetya. A blog post from Kaspersky suggests the main purpose is a wiper:

In a way, this also falls back to the frustration, and cover-up scenario's.



Closing thoughts

As we've seen, ransomware can serve a plethora of purposes; whether it is deployed by a nation-state actor, the more common cybercriminal, or your neighbor disgruntled at your tree hanging over their wall, one thing is for sure: you are, and have been compromised!

In more recent years, targeted ransomware has become a common phenomenon, this means ransomware either tailored to your environment, or manually installed - the latter often via hacked RDP or VNC services.

The most famous example is no doubt Samas, also known as SamSam:

Other examples include: CrySiS and derivatives, RSAutil and PetrWrap. 

While targeted ransomware attacks are occurring as early as 2013, in most recent years, they have become more fearful, due to the ransomware also encrypting files.

Conclusion: ransomware is and will always be ransomware - but it may have a twist and an additional purpose.

For further reading, I gladly introduce a shameless plug by referring you to 2 of my blog posts:

If you can think of any other targeted ransomware, or purposes for ransomware, do not hesitate to leave some feedback in the comment section, or contact me on Twitter.

Wednesday, June 21, 2017

Display Color Calibration tool DCCW and UAC bypasses



In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".

DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:
DccwBypassUAC

This research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:
Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your Display

Being inspired by Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.

What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.

Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses  :-)

This has been tested on: Windows 10 and Windows 8.1 x64 and x86.

Prerequisites:

  • User has to be member of the local administrator group.
  • UAC is ... already disabled, or at a low setting, or the user confirmed the UAC prompt.

DCCW is a Microsoft signed binary and will auto-elevate itself due to its manifest.

Figure 1 - verified, signed Microsoft binary (using Sigcheck)

Figure 2 - autoElevate is set to 'true'

Running through the DCCW wizard, we can happily click next, until the end of the wizard the following is displayed:

Figure 3 - end of DCCW wizard

Note the automatically enabled or ticked checkbox:
"Start ClearType Tuner when I click Finish to ensure that text appears correctly (Recommended)"

Launching procmon and executing DCCW; the following can be observed:

Figure 4 - DCCW loading CTTune

As you notice, DCCW attempts to open, and read, the subkey in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Image File Execution Options (IFEO) has several uses, and can for example be used to prevent a program from starting, For example, in the past, malware has abused IFEO to hijack processes of antivirus programs, so they would not be able to start.

Back on topic, creating an IFEO using CTTune, we can start anything at the highest integrity (and circumvent the UAC prompt) ... Including PowerShell :-)


Figure 5 - Launch of DCCW, note the High integrity

and...

Figure 6 - PowerShell started with High integrity (normal level of integrity is Medium)

To try this yourself, create a new key in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options named CTTune.exe, consequently create a new value named 'Debugger' and in the Data section, place whatever you want. Example:

Figure 7 - CTTune IFEO

End-result:

Figure 8 - PowerShell running as administrator, with highest integrity


This attack is more theoretical, rather than practical, due to the need for initial admin permissions, the DCCW wizard appearing, and the user having the need to click through. The main point here is that no UAC windows will appear asking the user for permission, once the IFEO is set, and DCCW is started. Some other points to consider:

  • Users love to click on things, especially 'Next' in wizards :-)
  • You can try social engineering to entice the user in allowing UAC, & clicking through
  • You can try extending the PowerShell script below, by simulating mouse clicks or button presses in PowerShell - effectively impersonating the user.

You may find the PowerShell script here on Github:
https://github.com/bartblaze/dccwUACBypass

If I made any mistake(s) in the script, please do let me know!


Finding UAC bypasses


If you like to try new things, then trying to find a UAC bypass can definitely prove to be a challenge and fun! While my story here was both successful and not - I found a UAC bypass, but with limitations, it's still good to go out of your way and do something you're less familiar with.

For finding UAC bypasses, or other strange, weird or old Windows artifacts and binaries, I can definitely recommend the following tools:


Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Sigcheck
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

PEViewer/RogueKillerPE
http://www.adlice.com/download/roguekillerpe/

IDA Pro Free:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml

A Windows system, and a C:\Windows\System32 and/or C:\Windows\SysWOW64 folder.


Additionally, have a look at the Resources section at the end of this post.


Prevention

Obviously, you would like to prevent these specific bypasses from ever occurring. Please find below some recommendations I've compiled:




Additionally, have a look at the Resources section at the end of this post.



Conclusions

UAC bypasses are an interesting domain: while Microsoft seems to take a 'lighter' approach in regards to these specific bypasses, it doesn't mean they aren't being looked at. For example, latest releases of Windows 10 fix several UAC bypasses.

My hope is that, by accumulating the info in this blog post and following along my journey, you may find other UAC bypasses, or other cool stuff lying around :-)

Keep in mind that UAC bypasses are definitely out there in the wild - not only by pentesters, but also by attackers, whether cybercrime or APTs.

As always, feedback is appreciated.



Resources

Defeating Windows User Account Control (UACME)
Dridex Returns With Windows UAC Bypass Method
Enigma0x3's blog (tons of good stuff in there)
PowerShell-Suite/Bypass-UAC
User Account Control: Inside Windows 7 User Account Control
User Account Control Step-by-Step Guide




Sunday, May 21, 2017

WannaCry: frequently asked questions


Unless you haven't accessed the internet for a week, you must have heard about WannaCry or one of the aliases it uses, such as WannaCryptor, WanaCry or WanaDecrypt0r.

In this blog post, I'll try to answer, in clear & concise language, some of the most asked questions. While there have been several excellent (technical) blog posts about WannaCry, this one will be purely non-technical and focuses on practical steps.


What is WannaCry?

The most obvious question, but not necessarily an obvious answer. In essence, it is ransomware, software that holds your machine and your files ransom, until a fee is paid.

In its latest version, it also introduced a wormable component; in other words, it could spread to other machines running Windows in your network.

A worm is a type of malware that can replicate itself and thus spread to other machines in a network.

The name 'WannaCry' stems from the ransomware authors themselves, as that is how they named it.


How does WannaCry work?

An excellent infographic explaining how WannaCry works already exists - see below:

Figure 1 - How does the WannaCry ransomware work? (Source)



Which operating systems does WannaCry infect?

Windows only. More specifically: Windows XP up to Windows 10, Windows Server 2003 up to Windows server 2016. This is the ransomware in its pure form only, however. (see questions below)


Which operating systems were affected the most?

Most of the operating systems or machines were running Windows 7.

Figure 2 - affected Windows versions by % (Source)



Can I spread WannaCry unwillingly to others, or in my network?

It is definitely possible, but only if the worm component is active and you have not updated Windows in a while. More specifically, you will need to install MS17-010 to 'close the hole' or patch the vulnerability.


When did the outbreak of WannaCry start? 

The outbreak reportedly started last week Friday, 12/05/2017, in the morning hours (UTC). However; it is possible the outbreak started the evening before that. A sudden spike in internet traffic seems to suggest the worm started spreading that night:

Figure 3 - possible related spike in traffic (Source)

Can something like this happen again?

Defnitely. In fact, some malware families also exploit(ed) the same vulnerability in Windows as mentioned above.


What is or was the WannaCry 'kill switch'?:

The Wikipedia definition of a kill switch is as follows:

A kill switch is a security measure used to shut off a device in an emergency. (Source) 
This is no different in WannaCry: a specific domain was embedded in the ransomware to act as a kill switch: if said domain exists & communicates this to the ransomware; exit immediately.

Thanks to MalwareTech, who registered the domain, a lot of the WannaCry infections were unable to spread further, since the domain now existed.

Note that some variants appeared later with other 'kill switch domains', which were also rather quickly registered by other security researchers.


Can I decrypt or recover files encrypted by WannaCry?

It is possible. A tool, WannaKiwi, has been developed by several security researchers which may be able to restore your files.

Please find below:



The tool will work granted you have not killed the ransomware process (or your antivirus didn't), and/or you didn't reboot your machine.


What if the tool doesn't work? Can I restore my files in any other way?

If the tool doesn't work, you may have rebooted your machine, the ransomware may have been removed or its process killed.

If you are still desperate to get your files back, there's always a possibility using...:
  • ... Backups! If you have backups, please do try restoring from a backup first.
  • ... Shadow Copies (Restore Previous Versions). If this doesn't work, you can use ShadowExplorer for example.
  • ... Using data recovery software like Recuva, or for a bigger chance in restoring your files, PhotoRec.


Will I get my files back if I pay the ransomware?

There is no sure way of telling. The general advise is, as always, to NOT pay. A few reasons why not:

  • The decrypter they send may not work at all, or does nothing.
  • They don't send any decrypter at all.
  • They cannot contact you or you cannot contact them for whichever reason.
  • You are contributing to the 'ransomware eco-system', thus ensuring and increasing the amount of (new) ransomware that will emerge.
And:
  • You are dealing with criminals in the end. Cybercriminals, but criminals. This means there is no way of telling if they will hold up their end of the bargain.

If you can avoid it, DO NOT PAY!


How do I remove the ransomware itself?

Any antivirus and/or antimalware by now detects all versions of WannaCry.


How can I defend myself or the other machines in my network against this attack?

Specifically against the worm component, you will need to install patch MS17-010 as mentioned above. If you are using an older version of Windows, for example Windows XP, please see below:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

The link here above is worth a read regardless if you have Windows XP, or a newer operating system version of Windows. If you are still using Windows XP, please do consider to upgrade to a newer version of Windows. Some computer stores may be able to offer you a discount.

Note that by default, Windows updates will be performed automatically.

You may want to check if automatic updates are enabled, by reading the following article:
How to configure and use Automatic Updates in Windows

Additionally, you will need an antivirus and a firewall. If you use Windows 7 or above, the Windows firewall is fairly decent. A free antivirus will, in most cases, suffice as well.

However, it may be worthwhile considering a full antivirus package, which usually includes better antivirus protection and a better firewall. (and additional features, such as anti-spam for example)


How can I protect my files from being encrypted or targeted by ransomware such as WannaCry?

The best recommendation of all times, is to create backups.

Many free backup solutions exist to create copies of your files (pictures, documents, ...). An overview of no less 34 backup solutions can be found here:
34 Free Backup Software Tools

You may also want to give the following article a read:
7 Backup Strategies for Your Data, Multimedia, and System Files

It may seem a lot of work initially, but it is definitely worth it.

A few points to consider when making backups:
  • Don't leave your external drive plugged in after the backup. This to prevent your backup files will be encrypted as well. So, take your backup and disconnect your external hard drive afterwards.
  • Be careful with backups in the cloud as well. If you use Dropbox for example, and it syncs to your Dropbox folder after your data has been encrypted... You will have another copy of your encrypted data.
  • Test your backup, if possible. You wouldn't want to encounter an infection then to only find out your backups are corrupted somehow.
  • You can also write your backups to write-once media, like for example DVDs or Blue-Ray. Easier is of course using an external hard drive, but don't forget to disconnect it after you have made the backup.

Can I report someone, somewhere, somehow about this ransomware if it affected me?

Surely. You can fill out an online form via the following portals:
Alternatively, you may want to use my online form to fill in, (print out,) and hand over a copy to your local police department, or Computer Emergency Response Team.

Find the form here; Cybercrime Report Template


It is very important you report the incident. The more information that is available to law enforcement, the bigger the chance they can catch and arrest the people behind WannaCry, or others.

Unfortunately, should you have paid, but your files are still encrypted, there is no sure way of telling if you'll be able to recover any monetary losses. Therefore, the advise is to NOT pay the ransom.



That's it, I hope you have been better informed! Unless of course...

I would like to read more. Where can I find more information?

I have setup a whole page on ransomware prevention, which you can flick through.


Any other questions, please do not hesitate to post in the comments, or send me a message on Twitter.

Sunday, April 23, 2017

Ransomware, fala sério!


Recently, a user contacted me in regards to what looks like a new, Brazilian ransomware. In this blog post, we're taking a quick look at the ransom and how to unlock or decrypt your files.

TL;DR: to unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

The title of this blog loosely translates to: ransomware, no way! (excuse my Portuguese)

The ransomware appears to call itself 'Sem Solução'; which translates to 'Hopeless' or 'No Solution'. I propose we call it 'Hopeless ransomware':


Figure 1 - 'Seus arquivos foram criptografados'

Sua IDNão a formas de recuperar sem comprar a senha, ser tenta eu apago tudo!O método de pagamento é via Bitcoins.  O preço é: 600,00 REAIS =  Bitcoins
Não tem Bitcoins?, pesquise no google e aprenda comprar ou clique em Compra Bitcoinsenvie os bitcoins para: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1Para receber a senha, voce precisa criar uma e-mail em https://mail.protonmail.comE enviar SUA ID para 785910@protonmail.com em 24h ou mais voce receberá a sua senha!, Obrigado..

Translated:

Your IDNot the ways to recover without buying the password, be try I delete everything!The method of payment is via Bitcoins. The price is: 600,00 REAIS = Bitcoins
Do not have Bitcoins ?, search google and learn how to buy or click Buy BitcoinsSend the bitcoins to: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1To receive the password, you need to create an email at https://mail.protonmail.comAnd send YOUR ID to 785910@protonmail.com in 24h or more you will receive your password !, Thank you ..

The price is 600 REAIS (Brazilian Real), which currently amounts to 0.15 BTC.
(176 EUR | 155 GBP | 199 USD)

Interestingly enough, the ransomware has a built-in function to detect whether or not your machine belongs to a domain, and if so, will increase the amount of ransom to be paid to a whopping 1000 REAIS, or 0.25 BTC. (293 EUR | 259 GBP | 333 USD)


Figure 2 - Func _get_bitcoin_value()


The ransomware author or authors is/are definitely not kidding: if you enter a wrong password, the ransom will start deleting files.

Figure 3 - 'Error!", "Senha de descriptografia errada, NA PROXIMA 500 ARQUIVOS SERÃO EXCLUIDOS!'


Files to encrypt, including those used in virtualization software such as VMware for example:

zip, 7z, rar, pdf, doc, docx, xls, xlsx, pptx, pub, one, vsdx, accdb, asd, xlsb, mdb, snp, wbk, ppt, psd, ai, odt, ods, odp, odm, , , odc, odb, docm, wps, xlsm, xlk, pptm, pst, dwg, dxf, dxg, wpd, rtf, wb2, mdf, dbf, pdd, eps, indd, cdr, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, abw, til, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, himmel, cert, cfm, cgi, cpio, cpp, csr, cue, dds, dem, dmg, dsb, eddx, edoc, eml, emlx, EPS, epub, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, hpp, ics, idml, iff, img, ipd, iso, isz, iwa, j2k, jp2, jpf, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, M3U, M4A, m4v, max, mbox, md2, mdbackup, mddata, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, afsnit, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, PEM, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, ppdf, pps, ppsm, ppsx, ps, PSD, pspimage, pvm, qcn, qcow, qcow2, qt, ra, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, WPS, xdw, xlr, XLSX, xz, yuv, zipx, jpg, jpeg, png, bmp

Additionally, Steam users aren't spared of getting their files encrypted either:

Figure 4 - Executable files in Steam's games directory will be encrypted

In reality, it appears all files are encrypted, regardless of extension.

The ransomware ultimately calls home and leverages Pastebin to do so. However, when analysing the ransomware, none of the Pastebin links were online as they had been removed.

$data = "pcname=" & @ComputerName & "&hwid=" & $key & "&version=Locker"

At time of writing, no payments have been made as of yet to the Bitcoin address:
1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1

The ransomware encrypts files prepending the original extension with '.encrypted.'. For example;
image.png would become: image.encrypted.png

The ransomware is based on CryptoWire, an open-sourced ransomware written in AutoIT.


Decryption

To unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

Note: as always, prevention is more important than decryption or disinfection! Have a look at the dedicated page I've set up here.


Conclusion

While ransomware is anything but uncommon, ransomware very likely stemming from Brazil and specifically targeting Brazilian users and businesses, is a less frequent occurence. In fact, the only notable example, as far as I know, is TeamXRat also known as Xpan ransomware.

Below you may find IOCs.

IOCs