Over the weekend and into this morning we’ve been seeing a run of malware that uses an interesting technique in order to entice potential victims into falling for its trick. Fear is certainly a social engineering technique that tends to work well and has been used plenty of times in the past. However it is usually used in fake receipts or withdrawal receipts where the attacker is trying to make the victim believe that someone is making purchases on their behalf or simply taking it right from an account of theirs. In this version though the delivery email warns New York City residents of a homicide suspect that is apparently on the loose and possibly on the prowl.

homicide-resized-600

The email says it comes from ALERT@nyc.gov which may or may not be the actual spoofed address that the real NYC.gov website uses to send alerts to those who enroll (and only those who enroll) about events of interest within the city such as power outages, road closures and the like.

homicide2-resized-600

This fake alert contains little information and arrives in a simple form text email. In all of the variants we’ve seen all of the information stays the same except for the numbers under the “Bulletin Case#”, and the actual numbers under the following three lines. All of these appear to be randomized.

The malware itself comes in a Zip file and is a screensaver file , .Scr, dressed up to look like a .Pdf that supposedly contains more information about our murder suspect.

icon1icon2

Instead of providing this information however, the intended victim will have a fresh copy of the latest CryptoDefense, CryptoLocker Clone. Once the malware finds its way onto its host, the executable Homicide-case#098.exe begins injecting itself into the generic process explorer.exe. It also copies itself into several run areas in order to make removal more difficult.

After it has a strong foothold it begins deleting some very important files and pieces of information the first of which being any Shadow Copies of files the user may have backed up. It does this by utilizing the Volume Copy SHadow Service executable – vssadmin.exe to Delete Shadows/All/Quiet – the quiet supresses any pop ups or warnings that it is happening. A few milliseconds later it also modifies the registry settings to disable system restore altogether.

One potential “flaw” if you want to call it that with these newly popular CryptoClones is that they utilize a hard coded domain which acts as their command and control server. In this case the malware makes an http connection on standard port 80 to contact the domain babyslutsnil.com at the IP 199.127.225.232. If you haven’t done so already block all connections to this domain and IP, doing so will prevent the malware from communicating with its C&C server and receiving the private key it will then use the encrypt the victim’s computers. Obviously done if this is done after the fact it’ll be too late.

These CryptoClones have been very aggressive and highly effective. It is recommended that everyone make strong cold backups of their files and keep them off of the network so just in case someone on their network becomes infected with CryptoLocker et al, things can be repaired. It is never recommended to pay the ransom. This simply encourages the thieves and will certainly mean we will be dealing with these guys for much longer.

 

keytroajn resized 600This past week we have been monitoring an elevated threat level of a known trojan downloader commonly referred to as ‘Zortob’. The email messages are using a somewhat clever, albeit slightly recycled, social engineering tactic by posing as a court summons. The subjects are “notice of judicial summons” or something similar and the messages have a simple message; that you are being ordered to appear in court. This is meant to trigger just enough panic in the heart of the recipient to open the attached payload. This type of social engineering is relied upon heavily by cybercriminals and is effective enough to trick an acceptable percentage of users into clicking the attachments.

Here is a look at one of the messages:

summons

 

 

 

 

 

 

 

Clicking on the .exe inside the attached .zip will result in the user being infected by the trojan downloader. This particular trojan (Zortob) serves to download other malware from the internet. In this instance ‘Zortob’ reaches out to the remote host(176.111.81.75) located in Ukraine to pull down a fresh install of the Zbot aka Zeus banking trojan:

iplocation(2)

 

 

 

The Zeus family of malware is renowned for stealing personal information such as passwords and login credentials with its key logging capabilities. We were seeing quite a bit of activity with this malware back in December of 2013 and now for the past week this campaign has been propagating with consistency. As usual we have are quarantining all variants of this threat but remember to never click on attachments in unsolicited emails.

Early this morning a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, whcih should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.

 

pwpzipmainemail resized 600

 

The attached file contains 2 actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip).This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive. Rar malware is much less common that zip malware since zip files work natively on most systems.

 

itsararnotazip resized 600

 

So if you didn’t have a program to extract Rar files, the archive couldn’t be extracted.

 

jimicantopenthatzip resized 600

 

The fake Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (62.76.43.110; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established.

 

lookatthatexethere resized 600

lilamazonlogo resized 600

 

The zbot is a common piece of malware we see due to its main purpose of being built to steal money, meaning it can be very profitable for the people behind malware campaigns. A good bit of advice with password protected zips is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password. I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using.

Currently we are blocking this malware with over 40,000 hits so far this morning.

This morning we began seeing yet another new version of CryptoLocker from the same person or people that brought us the Australian Electric Company Bill version earlier this week. This time the author spent much more time on improving his product than they did on the delivery presentation.

cryptoemail resized 600

This one begins as a very simple plain text email pretending to be an email delivered fax as seen below. I’d like to point out that in an effort to evade filters or at least make blocking these a bit harder, the cyber thief has been utilizing DropBox links to give to potential victims. Much like many campaigns in the past, other virus campaigns have attempted to utilize legitmate, especially free, services to hide their malware. GoogleDocs was a favorite of spammers to peddle their pharma campaigns, but Google was usually pretty quick to clean those up. In this instance it would appear that DropBox does not scan their stored files for malware and CryptoLocker is taking full advantage of this. Hopefully they can join us in the fight very soon.

cryptopic1 resized 600

This one also appears to work a little different in a few ways beneath the hood though. Once the victim machine is infected, a few new pages pop up to inform the new victim that they have been infected. Three in fact, one is a webpage explaining what just happened. Another is a text file that expllains what you must do in order to decrypt your files entitled “DECRYPT_INSTRUCTION”. An interesting note in the decryption instructions his time is that they include Tor links that are supposed to be “your personal home page”. If you follow them though, you will just end up at a page that looks like the original instruction page that pops up when you are first notified of your new infection.

The third page that pops up is reminiscent of the original CryptoLocker wherein it gives a little countdown timer. Originally this time was the time you had before they would destroy your personal encryption key, this time it states that when it runs out you will be charged double for their not so friendly decryption services. This go around it’s $500usd/euro and then $1000usd/euro after the timer expires which appears to begin at 120 hours. Last go around the payments were accepted through Western Union or Moneygram, this time they’re back to Bitcoin, and only Bitcoin this time.

This one also provides a new feature which is a button that gives you the chance to “Decrypt 1 file for FREE” which is fully functional.

cryptopic2 resized 600

This is a very nasty bug. Not only does it encrypt local files, but it also seeks out and encrypts attached storage as well as network shares and encrypts everything on those as well. It is not recommended that these people get paid the ransom, it is recommended that anyone infected isolate these machines from their networks and restore them from backups. This is a very complex encryption and removal has evaded everyone so far. On top of that, the malware itself is only being seen by 1 out of 51 Anti-Virus solutions currently. If something appears wrong or out of place avoid it! This requires the recipient of the email to click on the DropBox link to retrieve a Zip file. The Zip file must then be opened. Inside that reveals a file by the name of Fax-932971.scr, note the screensaver .scr extension. Once the file is removed from the Zip it then appears as a pdf icon.

The files hashes are for the ZIP – SHA256 78b9a606531642abf3d5179f91b2e4f2cf6bbb11ccde9120525e6633ca8f3595

and for the .scr -SHA256 03467f231a3fce6795545ae99a6dad161effa3bf681031693815eabf1648ee66