Friday, 12 January 2018

, , , , , , , ,

DDE Attack


In the recent weeks we are more and more often reading news that talks about attacks that exploit DDE technology, Botnets that exploit the DDE attack, Ransomware that are distributed via DDE attack and so on.
Well, this is the right time to clarify this technology and this new attack way.

Let's start from the basics, what is DDE?
DDE, which stands for Dynamic Data Exchange, it is an interprocess communication system (IPC) introduced for the first time in 1987 with Windows 2.0.
This technology and its functionality have been largely supplanted by OLE - Object Linking and Embedding. However, DDE is still used due to its simplicity.

Like macros, DDE is a legitimate feature of Microsoft Office and allows to share a set of data between applications. For example, you could create a Word document linked to an Excel document so that the data in the first one will be updated automatically whenever are you changing Excel spreadsheet data.

In which way this attack is bring out?
Performing a DDE attack is very simple. Just add the string {DDEAUTO} to call the DDE feature, , in the text of a Microsoft Word document, followed by the command you want to run, all within the braces.

Can it be used only in Office documents?
No, not only Microsoft Office documents.
This attack can also pull off via Outlook, by sending an email, an email or an appointment, known as "calendar" in company jargon.


Now we are going to create a formatted content using Microsoft Outlook's "Rich Text Format" (RTF) and insert the malicious code inside it and save it as email. Next step will be to attach this one to the email we'd like to send, write a a title and a text to attracting victim's attention and push it to open it.


What can you do with this attack?

In which DDE attack would be used:

  • to send a computer in Denial Of Service (DOS) by running countless instances of a specific software until the available resources are saturated;
  • running software or scripts that could give full control of the computer to the attacker;
  • download malware to use to exfiltrate data.


How to recognize fraudulent content?
When you are opening the file, a warning message is showed to you. It is warning yo that the file has an external contents and asks for confirmation to continue.


If your chiose has been "YES", a new message will be displayed asking if you want to run a specified application. The in example below the command / application quoted is "cmd.exe".


However, it should be noted that the information concerning the execution of the command can be hidden or omitted by editing the syntax of the malicious code.

How to defend yourself?
When the warning message realated external contents has popped out, clicking "No" block the attack attempted.


You can also defend yourself better by changind setting and display all messages in text format.
However, this workaround involves the deactivation of all formatting, colors and images from all incoming e-mails and consequently some contents could not be rendered.

Why this new attack?
Cyber criminals are starting to use DDE technology because it is different from macro and because they are always looking for new ways to mislead the victim.
For years we are witnessing attacks based on the macro but fortunately you can disable this technology and therefore prevent malicious content from being automatically performed when the file is opened.
This new way, though it has some limits dictated by the interaction with the user, could lead an untrained or careless person to think that it is an error that occurred due some file's errors.
In the last weeks this new attack way has grown exponentially thanks to the fact that you do not have to send attached to the email documents of Microsoft Office or PDF, but just attach another email or a "calendar".


Please note, this article was created in the end of October 2017, but only at this time I have been able to publish it.

Thursday, 22 June 2017

, , , , , , , ,

Coin Miner Attacks using Image File


I am here to tell about the "story of an image"...

Well, let's gooooooooo!!

Watching the picture below, what you can tel about it? Is it a simple image?


...and in the following picture?

YES!! They are the same picture, the first one is what you can see when you open it. The second one, is what you can see if you open it using for example a simple text editor.

Today I want to tell you about a malware that I discovered during my activity as researcher, malware hunter and malware Analyst.
It uses an image (JPG file) with embed a shellcode in order to infect the Linux System.



Shellcode Analysis:

Image reported above show part of image coded file and embedded shellcode in clear text.

Second line, command "crontab", is a time-based job scheduler in Unix-like computer operating systems.

"Crontab" option "-r" is present only in some Linux distro like Debian, Centos and Redhat. I can image that this malware is focused to Linux distro quoted above.


Third line of shellcode get seconds and transform them in days from 1970, then store them in a variable named"days". 
Sum the value 983 to "days" variable and assign this value to variable named"days2".
Then "days" variable will have the first 10 elements of MD5's digest of  "days2" .

Into shellcode's snippet reported below it is listing processes and concatenate other commands like xargs and awk.
The last one searches files that have text that match the pattern, when a line or text matches, awk performs a specific action on that line/text. In this case concatenating "print $2", it return the second item (proces' ID) and then kill it.

Using command "pkill -f", shellcode kills processes which matches the pattern for any part of the command line

This shellcode's snippet is used to kill any others miner that had infected the machine, in order to be the only one to use it.

"DoMiner" function using Curl command download into "tmp" folder a file image JPG named "car-498167.jpg" from website  "imagehousing[dot]com" and rename this image with "days" variable's value.

Then skips the first 2931 byte and save it again.
After this task file's permission is changed with execution privileges and in the end it use "nohup" command line-utility which allows to run command/process or shell script that can continue running in the background after you logout from a shell.
Sleep and then remove everyone file with name "days" and "daybefore".


NOTE: No part of source code file named "daybefore.jpg" has been created. Only a variable was created using this name.
Why put this shellcode line? Are there typographical error?

Carry on downloading image file "car-498167.jpg" using browser. It looks like the first one.

A quick analysis shows that it doesn't contains evil shellcode or evil artifacts, but I discovered a very interesting information.


As you can read, it is packed with UPX packer, version 3.91. 

I create a bash script in order execute it in debug mode, download image and skip 2931 byte as wrote into source code.

Below you can see my bash script and its result in terms of files.

Note: "12days" and "13days" are names that personally I decided to appoint to this images.

Above you can see both file, the first one (the image file) and the second one (executable file) that is the first one without 2931 bytes. Below you can take a look to the files size.

I used UPX packer to unpack ELF file. Below is reported a screenshot that contains details (format, compression ration, actual and future file size) about ELF executable file.

Now it's time to unpack ELF executable file

Below are reported details about ELF's file.




Shellcode In-depth Analysis:

Working on it and downloading "car-498167.jpg" image I noted that server returns a different image based on "User Agent".
The attacker can return the right file only if the system is x64 and is one of Linux distro reported above.
If it seems incredible take a look to the screenshot reported below. Request was made with Slackware distro.




Analyzing shellcode my attention was attract from string like the follow:
"4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC".

It is not a string base64 encrypted, what of it?

I retrieved a pastebin file where was present part of this shellcode, where I found the same strings.

As you can see, in this shellcode's snippet, if doesn't exist a file named "AnXqV" "Minerd CryptoCurrency" it is going to download and save into "tmp" folder with file named "AnXqV".
Then execution permission is assigned to this file.
At the end a command named "cryptonight" is running.

NOTE: CryptoNight is a proof-of-work algorithm. It is designed to miner bitcoin and to be suitable for ordinary PC CPUs.

According with handbooks every miner use a different command's format. In case reported above 
command "-a cryptonight -o stratum+tcp://URL:PORT -u WALLET_ADDRESS -p x" is used to run miner. So, string "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC" is a Monero's wallet address.



ELF file In-depth Analysis:

Analyzing ELF file I was able to retrieve more information about malware's type, its author and the URLs reached out.

Who create this software have nickname "fireice-uk", below there is a screenshot of his github's account.


Also was possible to retrieve URL that are contacted by this miner


Checking domain owner, like in a fairy tail, website is liked to the Miner's developer (Fireice-UK)


Malware's developer embedded the miner developed by "fireice-uk". If the two person are different, why malware's developer have to use and include a miner developer my another person?

Below you can find evidence about matching between information extracted from ELF's file and source code created by "fireice-uk".

In my opinion who developed malware and miner could be the same person.

Friday, 10 March 2017

, , , , ,

New Way to run VBScript Payload


Some day ago I received an email in an unmarked Gmail mail box. It was a clear Phishing email, but what catched my eyes has been a Password reported into the email's body and the attachment. It was a Microsoft Word file with ".docx" extension.

The first question that I asked to myself was: "Why this file wasn't dropped from Google security check?".

I decided to analyze the attachment and investigate about the sender.

First of all, I opened the attachment and putted into the password reported into the email's body. Opened, it had only three icons that looks like word's icons.



My first words were "What a fuck of Word file is this?!?!".
It doesn't makes sense! No text, no request to enable macro on startup.

The total words catch my eye. As you can see into the red circle, they were 369 words, but the document didn't had text, only 3 image's icons.

Double click on the image and I discovered the secret. The macro, VBScript, is embedded within it!

"What?! A macro into an image?!...You are a fucking genius!!" I Thought.

 But in which way is possible to embedded a VBScript into an image?!

The answer of my question was behind the right-click. Who created this document used Packager Shell Object to embed the VBScript content.

Taking a close look to Packager Shell Object properties was easy to understand that it was a VBScript file and where it was it was stored.

It was stored in "\Local\Temp" folder every time the Word file is executed. When the file is going to shut down it is going to be deleted from this folder.



The VBScript was obfuscated, but not in a hard way.

In the snippet code reported below, is reported two different files that are going to be created based on seconds:

  • the first one had extension ".viv"
  • the second one had extension ".qde"
Please note, seconds were used as file's name.



"JAy0D" function reads from file ".qde" and write into the file ".viv".

The snippet code reported below shows the resource that the dropper has to download, file with extension ".pkg".



Using whois protocol, I retrieved domain's information. Is useful to note that this domain is protect by privacy policy agreement.



File format ".pkg" is an installation file used by Apple in its Operating System.

Was impossible to download "tmp.pkg" file. The server gave error 404 Not Found.


Another resource that has to be downloaded is a file ."jpt".
JPT format file (JPEG-PNG-Type) takes advantage of the compression ratio from JPEG and PNG at the same time.
The main image is stored in JPEG while the alpha channel is stored in a PNG file as a gray scale.
While the PNG file can be 32 bit, 24 bit, 8 bit or even palette based, it is recommended to use
only 8 bit or palette based images in order to save space and actually take advantage of the JPT
format.
The next step was to analyze this file.


There I discovered the home page where this library come from.

It was hosted in a github page that it is not longer available.


From the page, I was able to recovery the developer's name "Jake J. Davis" and thanks to Google Cache, part of his GitHub account.

Jakey J. Davis closed a lot of his accounts in the last months, like github, libraries.io, etc.

Another analysis I did was the email's header. Here we can read sender's PC name connected to the server.




 Hey! Bruce, remember: "The first Internet's rule is: Stay Stealth"! 👀


CONCLUSION and HESITATIONs:

Something doesn't seems clear.
  1. File PKG is not reachable.
  2. JTP file doesn't seems to be JTP's format.
  3. This VBScript works only on Windows OS and it acts as a dropper to download other resources. It also use windows like commands ("cmd.exe") to perform some checks ("ping 8.8.8.8");
  4. If everything seems wrote for Windows OS, why it has to download file that works on Mac OS?







In conclusion: Given all these inconsistencies, many questions are still outstanding and this leave us two options, everything is part of a bigger project or the one who created these files is a newbie?


Thanks to my colleague for the support provided! ☺

Wednesday, 18 January 2017

, , , , , , ,

Retrieve Personal Information using Boarding Pass Published on Social Networks




This article want to be a POC (Proof of Concept) about how an attacker with bad intention could use your pictures published into Social Networks to retrieve information about you.

Are you readyyyyy?? ...Here we goooo!!

In the last days I discovered a Web Site that works like an OCR, it can reads the content of a Barcode Image uploaded. Barcodes type supported are:

  • Code 39, 
  • Code 128, 
  • PDF417, 
  • Barcode Postal (IMB, 4state), 
  • QR code, 
  • DataMatrix Barcode, a
  • Driver License, 
  • ID cards Barcode.


I started joking with different pictures that I found on different social networks, during my jokes I have been captured by a boarding pass' picture.

I decided to use it and try to identify the content of the barcode printed in it.

The first test failed, the second had the same result and then I decided to change Social Network. My first idea has been Instagram.

I looked for "boarding pass" using hashtag (#boardingpass) and I received more than 60.000 results.

I decided to focus my test on the picture reported below (it is censored for clear reason).

I copied the barcode, I saved it and then upload it on the website...I waited just 2 seconds and Bhoooommm! Data was reported into the web page:

  • Name's passenger,
  • Surname's passenger,
  • PNR code, 
  • Departure place, 
  • Destination place, 
  • flight's number and so on...



Reading these data, came back in my mind my last trip and the email received from the flight's company. If I remember well, its contents was a PNR code and other flight's information...I checked my mail box and luckily I have not had deleted it!! It was still there! :)


The flight's company sent to me a PNR code in order to use it, in association with other personal data, to give me the opportunity to do Check-In, Checks my booking and so on.

So, absolutely you have just in your mind what had been in my mind after my little learn.
Yes, it is right! I'd like to retrieve more personal information about this person from flight's company web site. Well, I will try!

...But, what is the flight company's names? From the boarding pass' pictures was hard to retrieve it and I decided to use the information inside the barcode to achieve my goal. Into the barcode's data the third part contains information about flight, I putted them into google flights website and...Bhhoooommm!! I retrieved a list of flight's companies that make this route.

The next step was easy, I checked the web site of the company in order to find the area where I can check booking.

The web page showed a form where PNR, Name and Surname were required. Doh! I need a Name and Surname of this person...I decided to come back to Instagram in order to retrieve info about this person.

It was not a hard work, the person has as "account's name" his name and surname.

OK, now I had everything I needed, I inserted the data and... (look by your self!).

Into the web page is reported everything, (Name, surname, ticket's price, date, etc.)


PLEASE, NOTE
This is only a demonstration about how much is dangerous to publish your pictures on social network!! It is not a way to force someone to perform dangerous and illegal acts!!!

TAKE CARE TO YOUR PRIVACY AND YOUR PERSONAL DATA!!


NOT PUBLISH YOUR PERSONAL INFORMATION ONLINE!

Monday, 17 October 2016

, , , , ,

The Threat Behind an Italian Phishing Campaign


According to Wikipedia (https://en.wikipedia.org/wiki/Phishing) Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly,money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication

This case is not about Phishing, because this campaign doesn't try to achieve sensitive information, but instead of phishing it is "something else"...

This email has been delivered in one of my mailbox honeypots.

It's very easy to understand that it is a fake email, but even if today the most of the people believe that it is authentic. This is due the fraudster's evil idea to hits the most sensitive part of the mind of every person, the pocket and the money.

This email seems to come from the Italian Agency that praise taxes.

Clicking on the hyperlink "Scarica il Documento", a web page will be showed to the end user.

Here a file named "Documento Numero 00020160830.pdf" will be download

At the first time I didn't pay attention to the phrase "La password per accedere alla fattura è 7604", and I have focused my attention on the file.

I decided to open the document. The icon was a zip icon but by enabling the folder's option "show file extension", the extension was ".pdf"


Well, as I expected it was a zip file, but it asked me a PASSWORD. I was reminded about the password printed in the webpage, I have put it and the file was extracted.





-------------------- STATIC ANALYSIS --------------------


The sample file was packed using NullSoft Software. 
A packer is a special program used to obfuscate the entire file.


Investigating into the sample file, two digital certificates have been discovered.




One of this digital certificate has been revoked.













-------------------- CODE REVERSE ENGINEERING --------------------


The pictures below report a code snippet to show how the malware checks and asks the path of "Temp" directory

...and below is reported the request for "ResourceLocate" directory in order to achieve GUI language.
Into pictures reported below there are strings, like DLL file names, URL and Domain, but also part of command like "[Rename]\r\n"








-------------------- DYNAMIC ANALYSIS --------------------



I have run it on my virtual environment. A process with the same name of the file was executed and another process with a name "xkpgcoc.exe" has been created.




Checking the performance graph is easy to note that only the process "xkpgcoc.exe" was doing  I/O activity on disk."



















At  the end of its task, this was the result:

All data into my virtual environment was encrypted by CTB-Locker. The extension used to encrypt files has been seven random chars. The file name pattern after the encryption is: 
<Original_File_Name>.<Original_Extension_Uppercase>.<Seven_Random_Chars>.

Running this ransomware more than one time, I noted that it changes every time the crypt-extension.
Killing the process"xkpgcoc.exe", the countdown disappear and we can read on desktop background the instructions to pay and recovery files. During the malware execution, no network traffic was generated. This mean that the cryptolocker doesn't comunicate with a C2C Server The public key are generated locally using a specific algorithm.




Instruction is also reported in a TXT file, named "!Decrypt-All-Files-aruugia.txt" and "!Decrypt-All-Files-aruugia.jpg", located within "Documents" directory.

Is useful to note four important things:


  1. The Cryptolocker didn't identify that it wasrunning on a Virtual environment
  2. The Cryptolocker didn't network connections with any C2C server
  3. The countdown was not TRUE
  4. There are not information about how much the user have to pay to recovery files.

Going one step ahead, Tor website has been checked, in order to understand the process that the user have to follow in to recovery files.


Typing the public key into the form, we receive the following webpage.

The payment simulation has been done different weeks after the infection. This demonstrate how the countdown is fake and it is useful only to scared the victim.

The webpage reported above could be reached directly knowing the URL. This mean that the fist page does not made a real check on the public key reported into the desktop background and into the instruction files. 

The only check that the first web page do, is to verify if the key was generated by the algorithm embedded into the cryptolocker. A random Public Key does not works and an an error was reported to the user.
This is a trick to lure the user or a not expert analyst.


It is a CTB-Locker and there is no known way to decrypt files encrypted by it without paying the ransom. (as reported by Kaspersky)

Everyone of Kaspersky and TrendMicro decrypter was tested and no one of them have been able to decrypt the files encrypted with CTB-Locker.



-------------------- FORENSICS ANALYSIS --------------------


Below is reported the changes that this ransomware did into my VM.

----------------------------------
Chiave cancellata (removed keys) :3
----------------------------------
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay\DropTarget

----------------------------------
Chiave aggiunta (added keys):32
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9C691604-1C86-496F-9A97-388265B2C111}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\PML
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aruugia
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aruugia\OpenWithList
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PML
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PML\OpenWithList
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PML\OpenWithProgids
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PML
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows Photo Viewer
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows Photo Viewer\Viewer
 ...(continue) 

----------------------------------
Valore cancellato (changed values) :3
----------------------------------
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\: "None"
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay\MUIVerb: "@shell32.dll,-8507"
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay\DropTarget\CLSID: "{F26A669A-BCBB-4E37-ABF9-7325DA15F931}"

----------------------------------
Valore aggiunto (added values) :134
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Path: "\bxymszh"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Hash:  9C B1 E8 C3 45 CA 30 48 28 22 AF C4 95 DE F4 83 97 E3 11 86 A1 0B 33 AC 0A C1 AF 69 13 65 02 8E
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Triggers:  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 58 21 41 00 48 48 48 48 93 EB 00 1F 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 05 63 B4 28 0A CF B1 B7 D1 40 E9 C6 E8 03 00 00 48 48 48 48 28 00 00 00 48 48 48 48 57 00 49 00 4E 00 2D 00 50 00 35 00 44 00 49 00 46 00 51 00 42 00 30 00 43 00 31 00 47 00 5C 00 6D 00 61 00 63 00 00 00 38 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA AA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 01 00 69 00 63 00 65 00 3A 00 00 00 69 00 2E 00 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 05 63 B4 28 0A CF B1 B7 D1 40 E9 C6 E8 03 00 00 48 48 48 48 28 00 00 00 48 48 48 48 57 00 49 00 4E 00 2D 00 50 00 35 00 44 00 49 00 46 00 51 00 42 00 30 00 43 00 31 00 47 00 5C 00 6D 00 61 00 63 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\DynamicInfo:  03 00 00 00 1A E5 82 A7 10 11 D2 01 1A E5 82 A7 10 11 D2 01 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh\Id: "{9C691604-1C86-496F-9A97-388265B2C111}"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh\Index: 0x00000002
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\FileDirectory: "%windir%\tracing"
...(continue)


For sure, if it is a Ransomware it had put some file into the "Tasks" folder (C://%Nome utente%/Windows/System32) in order to be executed on computer startup.


As I expected, into this folder there was a file named "bxymszh" without a file extension. 

Note: Also this file name changes if the cryptolocker is executed more than one time restoring the VM snapshot.


The content of this file are reported below:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo />
  <Triggers>
    <LogonTrigger id="Trigger1">
      <Enabled>true</Enabled>
      <UserId>mac</UserId>
    </LogonTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <Duration>PT10M</Duration>  
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Users\%USER_NAME%\AppData\Local\Temp\xkpgcoc.exe</Command>
    </Exec>
  </Actions>
  <Principals>
    <Principal id="Author">
      <UserId>HIDDEN_BY_ME</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>

Below is reported the Temp folder content that includes: 2 folders and one exe file that is the process that has been executed by the evil file ("Documento Numero 00020160830.pdf.exe").


Running this ransomware more than one time, exe file's name (xkpgcoc.exe) does not changes but folders name change every time.

The content of two folders "nsmFEF9.tmp" and "nsbEDF8.tmp" is a DLL file, named "System.dll".


Analyzing both DDLs, them seams to be identical, same strings, same function names (Store, Copy, Alloc), etc, but they are located in two different folders. I suppose an development mistake into the source code.



Going to the parent directory I found other files with not classic extensions. 
This name of these file, contrary to the others DOESN'T change if the malware is executed more than one time. 
We have some good IOCs :)



Going to the parent directory I found other files with not classic extensions. 
This name of these file, contrary to the others DON'T change if the malware is executed more than one time. 
We have some good IOCs :)

In brief, this Cryptolocker use the real CTB-Locker algorithm to encrypt files that until now has been not cracked. Anyway there is a gray area about it that want to summarize in some points:
  • The end-user download a zipped file protect with password that is reported in a static webpage.
  • The Onion web page located into the dark web with a bypass of the first screen.
  • The countdown is only a fake.
  • Two equals DLL files

Every of these points improved or decreased the fraudster's economy?...If the end-user after the file download removed the email? The fraudster has failed at the first step. 

How much it's not worth the trouble?

This was a very strange campaign with a very sophisticated Cryptolocker but with some ordinary mistakes did by a not expert person.

IoCs


Into \AppData\Local\:
  • aclfepwx.cb
  • aom.t 
  • cwmlmn.p 
  • jbibns.sm
  • jsrthsll.lj
  • ljyg.wqbv
  • pnvj.t
  • rcdsn.uv
  • rgfihvmy.uqmas.wp
  • s.wp
  • wb.ibkh
  • x.am
  • yjkjaryt.b

Into \System32\Tasks
  • xkpgcoc.exe

MD5: 474e163b1da51a3da12290190e508f05
SHA1: 126e8fbd68dbf76e9e20477729555049cbe89dd8