Wuhan University Information Security Association. 2015/12/19 15:25
Continuously updated malicious software Original text: blog.talosintel.com/2015/12/cry…
0 x00 the
Over the past year, Talos has spent a lot of time studying how Ransomware works, how it manages other malware, and its economic impact. This research is of great value in developing detection methods and disrupting attacks by attackers. CrytoWall is a piece of malware that has been upgraded first to CryptoWall2 and then CryptoWall3 over the past year. Despite efforts to detect and disrupt its attacks, the developers of the malware have improved their techniques and now release a version of CryptoWall4.
To make sure we can detect it most effectively, Talos reversed CryptoWall4 to understand its behavior, as well as the differences after the upgrade, and shared our findings here.
Ransomware may not be familiar to readers, but ransomware is malicious software that locks users’ files (such as photos, documents, audio files, etc.) and then encrypts them. Users pay a ransom to decrypt the files and see their contents. Typically, users can infect Ransomware with phishing emails. The core function of CryptoWall4 remains the same, encrypting user files for ransom to decrypt. However, Talos has discovered some new features. For example, the encryption algorithm has changed, and CryptoWall4 has added a new technology to disable and remove all automatic backup mechanisms in Windows, making it almost impossible to restore files without external backup.
We also found that CryptoWall4 uses some unexposed API to get the native language Settings for the intruding host. The new CryptoWall features discovered by Talos will be described in more detail in a later article.
For experienced readers, we recommend you continue reading this afternoon. We strongly recommend that users and enterprises follow safety regulations and adopt multi-level testing methods to avoid risks. Our in-depth analysis of the new version of CryptoWall gives us the technical support to protect users and identify better detection schemes. In the end, according to the FBI statement, users are out of options and should pay the ransom. Talos strongly advises users not to pay ransoms, as this directly benefits the malicious campaign.
0 x01 infection
CryptoWall operators use phishing and drive-by download to spread their malicious programs to users. Once CryptoWall4 is successfully run, an RSA public key is downloaded from the C2 service. All files are then temporarily encrypted with the AES secret key before being encrypted with the downloaded RSA public key. It then tells the user in three different ways that you’re encrypted. The first is a text file, the second is a.png image, and the third is an HTML document. All automatically open from the victim’s desktop. As shown below.
FigureA.1
FigureA.2
FigureA.3
FigureA.4
FigureA.5
One interesting finding is that CryptoWall4 keeps looping to download the RSA public key once it can’t retrieve it from C2 Server. As long as the public key is not available, CryptoWall won’t destroy the victim’s computer. Talos also observed that the sample had some additional security checks, such as automatically terminating the infection process if the language on the victim’s machine was not supported. The following language Settings will not be infected:
Russian, Kazakh, Ukrainian, Uzbek, Belarusian, Azeri, Armenian, Kyrgyz, Georgian.
It was clear that the attackers wanted to exclude certain areas from infection.
The infection process is described as follows:
Figure B
CrytoWall4 has been injected into the Svchost process starting with “Delete all shadow Copies” as shown in the figure above. This process is injected to obtain higher privileges on the victim’s machine to bypass the UAC. Only when you have permission to silently delete all system backups, otherwise the UAC will prompt the user to handle it.
The following figure C shows the network communication using HTTP, but payload is encrypted. Figure D and E
Figure C
Figure D
Figure E
CryptoWall4 uses a new filename generation algorithm to name encrypted files:
- Scan disk drives for those excluded from the whitelist
- Get the original file from the directory, then skip the filename and extension in the whitelist
- Generate random filename length (5-10)
- Construct the file name with a random ‘a-z’ of length 3. (First get a random number from 0 to 1000, then modulo 26, then turn it into ‘A-Z’ letters)
- The file name string ends with Null
- Select a random num1 between size/2 and size. (size = filename length)
- Select a random num2 from 1 num1 (num2 determines how many random numbers to insert next into the filename string)
- Get a random 0-9 (char type) and insert it at a random location in the file name
- Repeat step8, num2 times
- Use the same algorithm to generate the extension, but the length is 2-5
- Add the extension to the file name
CryptoWall4 uses the CRC32 checksum algorithm to exclude certain directories, file names, and extensions. Here are some whitelists:
Extensions:
exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf
Directories:
windows, temp, cache, sample ,pictures, default pictures, Sample Music, program files, program files (x86), games, sample videos, user account pictures, packages
Files:
help_your_files.txt, help_your_files.html, help_your_files.png, thumbs.db
The complete whitelist is provided in Appendix A at the end of this article.
These whitelisted directories, file names, and extensions are used to ensure operating system stability. That means victims can continue to use their computers to pay ransoms. Any infected users should remember that the next time they boot up, the encryption will start automatically again, and any new files they create will be encrypted again.
After the file name of the new file is generated, its encryption algorithm is shown in Figure F: this also clearly tells us that after CryptoWall4 encrypts the file, it is almost impossible to restore the file without RSA private key to restore the AES secret key. The private key, however, exists only on the attacker’s computer and is not transmitted to the user’s computer. In other words, without paying a ransom for the private key, there is no way to restore the file. Users should back up their important files so they can recover them without paying a ransom.
Figure F
0 x02 subject
The body of the virus program is compressed and protected by a different shell, which has a lot of junk code, useless API calls, and code obfuscating tricks like calling random apis with strange parameters.
Figure G
Second layer protection with a staggered jump form of code:
INSTRUCTION 1
INSTRUCTION 2
JNO nextSteo
Copy the code
0x03 Unzip the code
The main code is very similar to previous versions of CryptoWall: first construct your own IAT, get the required system calls, and create your own main event object to manage process synchronization (the name is Workstation’s MD5). This event has two objectives: to prevent the remaining CryptoWall4 processes from running during execution and to synchronize the different processes involved in the infection. This code is injected into a new process named “Explorer.exe”. The actual code injected into the target process uses one of these two techniques:
- ZwCreateSection and ZwMapViewOfSection
- ZwAllocateVirtualMemory, ZwWriteVirtualMemory and ZwProtectVirtualMemory
Finally, the code is relocated. Two different techniques are used for injection:
- The ZwQueueApcThread internal API is used to inject the APC queue into the target process
- The classic CreateRemoteThread method
The code that is eventually injected into the new host “Explorer. Exr” process is executed and then CryptoWall4 is used to infect the system and persist. The program body is copied into the %APPDATA% directory, and then added in the user root directory after the “Run” key value, to realize the boot.
The virus will disable all system restore points and Windows backups in a way that has not yet been discovered. SRRemoveRestorePoint is called first, with parameters 0-1000, until the method returns ERROR_INVALID_DATA. It sets the “DisableSR” key value to 1 in the registry HKLM\Software\Microsoft\Windows Nt\SystemRestore path, which completely disables SystemRestore. Finally it starts to execute the standard command for deleting a stored backup:
#! bash vssadmin.exe Delete Shadows /All /QuietCopy the code
The following process is in the svchost.exe process. The code will rebuild the IAT table, create another event (used only in “svchost.ext”), and then form and open its own configuration file. This step often fails because the configuration file does not yet exist. Dropper opens and unpacks its own internal list of C&C urls (using the LZ compression algorithm). Finally it tries to broadcast a connection to one of the C&C servers.
You can find a list of C&C Servers used by the malware in the IOC section.
CryptoWall4’s network package is special and looks like this:
[| | | request Id crypt7 | workstation MD5 subRequest Id 1 | subRequest 1 Data |…
At the time of writing this article, we managed to separate out five different types of packages (with different Request ids).
1,3 -- Announcement packet -- used to tell C&C server that a new machine is infected The first sub-request ID is used to distinguish between different types of packages: 1 - Public key request - Used to request a new Public key from the C&C server to prepare for encryption. 2 - End announcement packet Used to tell the server that the infection is over. Another sub-request ID represents details on how the infection ended: 1-SUCCESS 2, 3-unsupported OS language packet-exitCopy the code
The packages were sent to the network using the standard HTTPS protocol, but were encrypted before that. The encryption algorithm is very common. It takes a random string as the key and forms a data stream in this format:
| Letter | = | encryption Key in Hex | encrypted stream |
For example: s = 6975376 e7a9b0fd24886fbd0c0de32d3ab4dd97174462ca3b06af16a1c840ae893eddacafbd93e56847c23a41352d4f45fc75468e4408
After the broadcast process successfully connects to the C&C Server, it requests the public key. Here’s where CryptoWall4 falls short: if a firewall or IPS is good enough to block CryptoWall4 packets, the infection won’t work. The request ID of the RSA-2048 public key request package is 7. The package returned by C&C Server looks like this:
- A list of payment urls
- The base64 encrypted RSA-2048 public key
- PNG image with base64 encryption (image determined by system language Settings)
Figure H.1
Figure H.2
Figure H.3
The public key is decrypted using the CryptStringToBinary API. The decrypted data is stored in a global variable. The HTML and text files (compressed with LZ compression algorithm) are released by Dropper, the configuration file is finally created and encrypted, and stored in C:\Users\[Username]\AppData\Roaming\[Random 8 digits].
CryptoWall4 verifies that the configuration file is complete and contains all the information needed to execute malicious code. It also ensures that malicious programs can continue to encrypt files even if they are interrupted. This file has a number of contiguous extents, starting with a DWORD value that specifies the size of the extents.
CryptoWall4 stores the following information in the configuration file:
- Binary stream data received from the public key
- An HTML page that matches the language used by the user
- Text file that matches the language used by the user
- PNG images that match the language used by the user (i.e., make them understandable to the victim)
Once the file encryption process is complete, the last three files are written to all directories on the infected machine.
The configuration file is eventually compressed (LZ compression algorithm, RtlCompressBuffer API, parameter 2 COMPRESSION_FORMAT_LZNT1) and then written to disk.
If all goes well, the main thread is created and the previous thread is terminated (RtlExitUserThread)
0 x04 main thread
The main thread starts by importing the public key, which parses the binary data of the encrypted public key into a data structure that can be recognized by the Windows Crypto APIs. CryptoWall4 uses the CryptDecodeObjectEx API to parse encrypted public keys. After that, the binary data is converted to a CERT_PUBLIC_KEY_INFO structure. Finally, the new data structure is imported into the Crypto APIs using the CryptImportPublicKeyInfo function, which returns a xx handle. The MD5 of the public key is then calculated, which is important because it is used to check whether the victim’s file has been encrypted.
After this, the real encryption process starts. For each logical partition, there are the following checks:
#! cpp LPWSTR pngFilePath = new TCHAR[MAX_PATH]; // This produces something like "C:\HELP_YOUR_FILES.PNG" ComposePngPath(driveName, "HELP_YOUR_FILES.PNG", pngFilePath, MAX_PATH); if (! FileExists(pngFilePath) == TRUE) {// Proceed with the encryption... ... ... }Copy the code
In general, a disk will be skipped if it has a help_your_files.png file in its root directory. We don’t know if this is a bug or if it’s doing this on purpose. For each filtered disk, a new encrypted thread is started (the thread main function takes a small structure, part public key, part pointer to the disk name string)
The main thread waits for all encryption processes to complete. Then put the three files with decryption instructions in two places: the start menu’s launch directory, but the desktop.
Finally, an End announcement package is created and sent to the C&C Server. The configuration file is deleted and the process is terminated (using ZwTerminateProc)
Figure I
0x05 Encrypted Thread
The encryption thread has two main tasks: first it calls “DoFilesEncryption” to encrypt all files that are not whitelisted, and finally it writes help_your_files.png to the root directory.
DoFileEncryption traverses all folders and files in the directory on the target disk.
When a subdirectory is encountered, the directory name is checked and CRC32 checked to see if it is whitelisted (so that folders like “Windows”, “system32”, and “temp” are filtered out). Also check to see if help_your_files.png exists, and if not, proceed to call DoFileEncryption with the current directory.
The file is checked twice: for the extension and filename. If the file is not whitelisted, the EncryptFile will be called.
The “EncryptFile” function is used to encrypt the target file. The “IsFileAlreadyEncrypted” function checks whether the target file is encrypted by reading the first 16 bytes and comparing it to the MD5 value of the public key.
At this point, the malicious program generates random file names and extensions. Here’s the algorithm :(get each printable character using the RtlRandomEx API)
#! cpp // Generate a random value DWORD GenerateRandValue(int min, int max) { if (min == max) return max; // Get the random value DWORD dwRandValue = RtlRandomEx(&g_qwStartTime.LowPart); DWORD dwDelta = max - min + 1; dwRandValue = (dwRandValue % dwDelta) + min; return dwRandValue; } // Generate a Random unicode string LPWSTR GenerateRandomUString(int minSize, int maxSize) { DWORD dwStringSize = 0; // Generated string size DWORD dwNumOfDigits = 0; // Number of number letters inside the string LPWSTR lpRandString = NULL; // Random unicode string // Generate the string size, and alloc buffer dwStringSize = GenerateRandValue(minSize, maxSize); lpRandString = new TCHAR[dwStringSize+1]; for (int i = 0; i < (int)dwStringSize; i++) { DWORD dwLetter = 0; // Generated letter dwLetter = GenerateRandValue(0, 1000); dwLetter = (dwLetter % 26) + (DWORD)'a'; lpRandString[i] = (TCHAR)dwLetter; } // NULL-terminate the string lpRandString[dwStringSize] = 0; // Now insert the digits inside the string DWORD dwUpperHalf = GenerateRandValue(dwStringSize / 2, dwStringSize); dwNumOfDigits = GenerateRandValue(1, dwUpperHalf); for (int i = 0; i < (int)dwNumOfDigits; i++) { DWORD dwValue = 0, dwPos = 0; // Generated value and position dwValue = GenerateRandValue(0, 9) + (DWORD)'0'; dwPos = GenerateRandValue(0, dwStringSize-1); lpRandString[dwPos] = (TCHAR)dwValue; } return lpRandString; } // Generate a random file name starting from a file full path BOOLEAN GenerateRandomFileName(LPWSTR lpFileFullPath, LPWSTR * lppNewFileFullPath, LPWSTR * lppOrgFileName) { LPWSTR lpRandFileName = NULL; // New random file name (without extension) LPWSTR lpRandExt = NULL; // New random file extension LPWSTR lpNewFileName = NULL; // The new file full name DWORD dwSize = 0; // size of the new filename // Check the arguments if (! lpFileFullPath || ! lppNewFileFullPath || ! lppOrgFileName) return FALSE; // Generate the new file name (without extension) lpRandFileName = GenerateRandomUString(5, 10); // Generate the random file extension lpRandExt = GenerateRandomUString(2,5); // Combine the new file name and extension and generate the final new file path // .... dwSize = wcslen(lpRandFileName) + wcslen(lpRandExt) + 1; lpNewFileName = new TCHAR[dwSize+1]; swprintf_s(lpNewFileName, dwSize+1, L"%s.%s", lpRandFileName, lpRandExt); / /... }Copy the code
New files are created, and a new AES-CBC 256 key is also generated by calling CryptGenKey and CryptExportKey. This 32-bit key will be used to encrypt the entire file.
CryptoWall4 uses a trick to encrypt the AES key using the RSA-2048 public key obtained from the C&C server. This generates a 256-bit key that can only be decrypted by an attacker.
The MD5 value of the RSA public key is written to the 16-byte header of the encrypted file. CryptoWall4 then writes the 256-bit encrypted string. The properties and size of the original file are written in the next 8 bytes. The original file name is encrypted by the resulting AES key and then written to the new encrypted file, along with the file size.
After that, the actual file contents are encrypted. The original file is read 512kb at a time and stored in a large data block. Each database is encrypted with an AES-CBC 256 encryption key. Write directly to the new file (the first four bytes are the size of the block)
When finished, all resources held by CryptoWall4 are released. The original file is deleted. This process is more interesting, as shown in the following code:
#! cpp // Move the new encrypted file name in the old original position, replacing the old one bRetVal = MoveFileEx(newEncFileName, lpOrgFileName, MOVEFILE_WRITE_THROUGH | MOVEFILE_REPLACE_EXISTING); if (! bRetVal) // Delete the old file in the standard manner: DeleteFile(lpOrgFileName); else { // Rename the original replaced file in the new random file name bRetVal = MoveFileEx(lpOrgFileName, newEncFileName, MOVEFILE_REPLACE_EXISTING); }Copy the code
As you can see from the pseudocode, the disk area where the original files were stored was specifically rewritten to make it very difficult to recover the data. This is a novel and interesting way for malware authors to ensure high payment rates. Reduce the possibility of data recovery so they can make more money. Here is the structure of the encrypted file:
Figure J
0 x06 summary
In this analysis, we carefully analyzed CryptoWall4. The malware doesn’t have any innovative technology, but there are a few bright spots. The drawback is that the infected process needs to interact with C2 Server. If a firewall or IPS can capture the packets it is interacting with, the infection process cannot proceed because it needs a public key to encrypt the victim’s files. However, once CryptoWall4 encrypts the victim’s file without paying the attacker a ransom, there is no way to recover the private key or decrypt the file. Because the victim couldn’t get an RSA private key on his machine. The private key only exists in the hands of the attacker.
As our analysis shows, CryptoWall’s developers are constantly updating the malware to ensure it remains effective for users. On top of the threat, companies need to realize that attackers will constantly improve the malware. Multi-layered self-protection methods can help companies detect CryptoWall and block its threats. Talos will also continue to follow CryptoWall research to find better monitoring methods, and then build a better protection system for users. Vaughn strongly advises users and businesses to follow security practices, such as installing system patches in a timely manner, being cautious when receiving information from unknown third parties, and making sure to have a good backup. These measures can reduce the threat of these malicious programs, and can also be used to prevent attacks.
0 x07 protection
- High Level protection (AMP) is a good way to prevent the execution of such malicious programs.
- CWS or WSA network scans can rule out malicious sites that attackers use for phishing and other attacks.
- The IPS and NGFWS are up to date to provide network security protection and detect malicious software.
- ESA intercepts emails with malicious intent
0x08 others
IOC DETAILS
IOCs can be downloaded here blogs.cisco.com/wp-content/…
Sample:
3a73bb154506d8a9a3f4f658bac9a8b38d7590d296496e843503323d5f9b7801
Copy the code
Similar samples:
2d04d2a43e1d5a6920a806d8086da9c47f90e1cd25aa99b95af182ee9e1960b3
bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2
299b298b433d1cc130f699e2b5c2d1cb3c7e5eb6dd8a5c494a8c5022eafa9223
Copy the code
Threat report:
Panacea.threatgrid.com/samples/d25…
C2 URL list
abelindia.com/1LaXd8.php
purposenowacademy.com/5_YQDI.php
mycampusjuice.com/z9r0qh.php
theGinGod.com/HS0ILJ.php
yahoosupportaustralia.com/8gX7hN.php
successafter60.com/iCqjno.php
alltimefacts.com/EiFSId.php
csscott.com/YuF59b.php
smfinternational.com/eRs70a.php
lexscheep.com/OIsSCj.php
successafter60.com/r_kfhH.php
posrednik-china.com/etdhIk.php
ks0407.com/VoZQ_j.php
stwholesaleinc.com/yL54uH.php
ainahanaudoula.com/GH09Dp.php
httthanglong.com/yzoLR7.php
myshop.lk/6872VF.php
parsimaj.com/60wEBT.php
kingalter.com/uVRfPv.php
shrisaisales.in/ZUQce4.php
cjforudesigns.com/E8B2gt.php
mabawamathare.org/WEAbCT.php
manisidhu.in/zJE0fD.php
adcconsulting.net/XEGeuI.php
frc-pr.com/dA91lI.php
localburialinsuranceinfo.com/zDJRc8.phpsmfinternational.com/AYNILr.php
Copy the code
Appendix A
Excluded files CRC32 Checksums 8E87F076h = help_your_files.txt 0A73B295Ch = help_your_files.html 11A8ACA3h = help_your_files.png 88068F93h 775DBED4h 60479578h 7BD40679h = iconcache.db 48F43013h = thumbs.db 95ED794Ah 884F3F52h 7DAC63A1h 4208466h 0BA069E4Ch 0EC619E8Dh 9B0FD8B3h Excluded extensions CRC32 Checksums 6B63B6F0h = exe 3DD3B336h = dll 0BB5EA5C1h = pif 592D276Fh = scr 9E07ED22h = sys 8F3272A8h = msi 0A45BDDC1h = no three letter ext 0B65F578Ah = no three letter ext 0EB59DA68h = msp 64B6C6E6h = com 0C863AEB6h = hta 0DEEBF8EEh = cpl 6FE79BB6h = msc 9F9C299Fh = bat 2F5C1CC0h = cmd 43F7F312h = scf Excluded directories CRC32 Checksums 0E3E7859Bh = windows 0B5385CAh = temp 0ED4E242h 9608161Ch 41476BE7h = cache 0F5832EB4h 0D8601609h 1DF021B7h 0B91A5F78h = sample pictures 0A622138Ah = default pictures 3FF79651h = sample Music 62288CBBh = program files 224CD3A8h = program files (x86) 72D480B3h 0FF232B31h = games 0A33D086Ah = sample videos 78B7E09h = user account pictures 9BB5C0A7h = packages 24FA8EBDhCopy the code