Forensics Weekly Summary for Week of May 20, 2016

By Jason Torikawa-Domingo on May 20, 2016

In our current day and age information runs the world. Having a system that is compromised can affect how we pass along information. Last week we talked about phishing which is one of the most common ways to infect a system with malware. That is just the start, should you click on a link sent to you via email it will do one or more of the following:

  • Redirect you to a different page
  • Download a file/folder/application
  • Execute/Open such file/folder/application
  • Inject malicious code that compromises the system due to execution

One of the most common and major effects of clicking these links leads to Ransomware.  Ransomware happens when a object (file, application, zip folder, etc.) is executed and malware gets injected into the system that prevents an owner/user access to a system/application/file(s), and is requesting some form of payment to regain access. This is especially dangerous for businesses that rely on computer systems actively in their business.


Ransomware codename Locky:

This post will look into one of the most recent (Feb 2016) ransomwares that was distributed via email in the form of a MS Word document that contained malicious macros. While this may affect computers running Windows operating systems, it may be forwarded through other types of operating systems like Apple and Linux.

-The Locky malware distribution seems to come from the Dridex campaign which was distributed in the same way, except was meant to grab banking information. It appears that a network of bots (automated computers normally infected) were distributing the malware through a mass spam of emails. When you open the file it may ask you to enable macros (you can set your setting to automatically allow macros), which injects a malicious code that encrypts your files and sets your desktop screen witha ransomware note.

  • Macros are series of commands and instructions that can be grouped together as a single command to accomplish a task automatically.

-The macro contained a 32-bit executable that executed several executable files that contained “_locky.exe”. Once it is deployed, it will disappear and run a self created copy renamed as a svchost executable in the %temp folder%.

-All files are encrypted through RES and AES, and are entirely renamed to the UID (Unique ID) of the victim and the ID of the file with the extenion .locky.

-It used Windows Powershell to execute its code to access and utilize a remote location.

-Locky will attack three local drives: Fixed, Removable, and RAM, the local network resources and shares. Specifically looking for  the following extensions to encrypt .m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf | .wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar | .zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class | .jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd | .MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security copy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx | .pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk | .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max | .3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key

-After execution, the registry in the affected system will show under the autorun for the current user containg data that is specific to the user (Individual ID, Public RSA and text of the ransom note), as well as the edit for wallpaper settings.

Look In-Depth:

After being compromised, the ransom note tells you how be able to retrieve your information.  You would access their website through the use of the browser Tor (a browser that leads you to what we call the undernet where you can communicate various services discreetly). From Tor you can pay them directly using BitCoin (The online currency/payment system). While the outer code is encrypted, the inside was not entirely the same. Inside you can see strings and functions that indicated how their process worked.

– The RSA key as well as the ransom note are fetched from the server by a HTTP based protocol. It made use of the Domain Generation Algorithm as well.

-The communication protocol is pretty simple. There’s a POST request with parameters in a typicalkey=value format. The protocol is than wrapped, then it generates a MD5 hash and encrypts both the content and the MD5.

-If you were to find and decrypt the above output, you would obtain the RSA key which can be used to decrypt the AES key that is located in the lower body content. From there you can decrypt the encrypted files on the host system.

Conclusion:

It appears that there are still some emails being sent out through infected computers. This is not only for American/English speaking companies as the notes are also available in other languages. Should you obtain an email with an attached invoice that is not in the normal PDF format, you may want to double check the validity of the email as shown in the previous post. Malware is everywhere, and may be  downloaded unintentionally/unknowingly. Always be cautious when looking at emails and never be afraid to questions its validity.

Source(s):

Macro Definition

Ransom Notes in other Languages

Locky and Dridex

Bitcoin

Note:

The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu