Wednesday, December 6, 2017

StorageCrypt ransomware, a coinminer and more



Lawrence over at Bleeping Computer posted an interesting blog yesterday:
StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.

There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.


Windows artifacts

美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.

This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:

1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success![autorun]Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host IP: Rnd IP:DiskC:\dntboot.binip packet too_bigip unload
Whatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.

In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in this analysis result from 2013 by Team Cymru's TotalHash.

I've uploaded the unpacked sample on Hybrid Analysis.


Linux artifacts

The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned CVE-2017-7494 from earlier this year.

There are several components, which are listed in the table below.


Filename Hash Purpose
kJn8LUAZ.so 6b5b4fce04f36101c04c0c5b3f7935ea Downloads ‘sambacry’
ZbdofxPY.so 053bb22c2cedf5aa5a089bfd2acd31f6 Downloads ‘sambacry’
sambacry ffe17e314f7b1306b8badec03c36ccb4 Fetch other payloads
httpd1 a5e8cb2e7b84081f5b1f2867f2d26e81 Miner config
minerd32 a016b34ade18626f91d14e46588d6483 Coinminer
watchcat32 ac9ad6bc8cd8118eaeb204c2ebf95441 Watchdog

The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.

These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:

while true do  
 ps -ef|grep -E "wget|curl"|grep -v $$|grep -v 45.76.102.45|awk '{print $2}'|xargs kill -9 
done

Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:

{
        "url" : "stratum+tcp://xmr.pool.minergate.com:45560",
        "user" : "madhatterss@protonmail.com",
        "pass" : "x",
        "algo" : "cryptonight"
}

While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.

If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.


Indicators



Sunday, December 3, 2017

Notes on Linux/BillGates



In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.

You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:
Notes on Linux/Xor.DDoS

This post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.


What is BillGates?

BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.

However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.


How can I identify BillGates artefacts?

Please find below a table with indicators.

Indicator Notes
/etc/cmd.n
/etc/conf.n
/etc/init.d/DbSecuritySpt
/etc/init.d/selinux
/etc/rcX.d/97DbSecuritySpt Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt
/home/ll2 Identify all files with random names in /home/
/tmp/.bash_root.tmp3
/tmp/.bash_root.tmp3h
/tmp/bill.lock Identify all .lock files in /tmp/
/tmp/bill.lod Contains Process ID (PID) of malware main module
/tmp/gates.lod
(or gates.lock)
Contains PID of malware main module
/tmp/moni.lod
(or moni.lock)
Contains PID of malware 'watchdog'
/tmp/notify.file
/usr/bin/*.lock Identify all .lock files in /tmp/
/usr/bin/bsd-port/.sshd
/usr/bin/bsd-port/*.lock
/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty/*.lock Identify all .lock files in /usr/bin/bsd-port/getty/
/usr/bin/pojie Identify all files with random names in /usr/bin/
/usr/lib/libamplify.so Configuration file



How can I identify BillGates DDoS modules?

These modules are usually stored in /etc/, and will have the following names:

  • atddd 
  • cupsdd 
  • cupsddh 
  • ksapdd 
  • kysapdd 
  • sksapdd
  • skysapdd

It may however be useful to use the find command in conjunction with these names, in case they are residing in a different location than /etc/.


How can I identify other modifications BillGates made?

BillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the network. The following may be replaced:


  • /bin/lsof
  • /bin/netstat
  • /bin/ps
  • /bin/ss
  • /usr/bin/lsof
  • /usr/bin/netstat
  • /usr/bin/ps
  • /usr/bin/ss
  • /usr/sbin/lsof
  • /usr/sbin/netstat
  • /usr/sbin/ps
  • /usr/sbin/ss

A copy of the legitimate files is normally stored in:
/usr/bin/dpkgd/

Additionally, check for any potentially created jobs by looking in:
/etc/cron.X where X is a name or folder, for example /etc/cron.daily.

You may also wish to look in:
/var/spool/cron/


Removal instructions

While the ps command may be replaced, top is not. Run the top command and verify any illegitimate processes, usually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use cat for example to read them, and identify the PID of the malware.

Then, use kill to end the malicious process(es), and remove the files or artefacts as indicated in the table above.

Afterwards, use mv to move the legitimate files back to their original location. You can also use a file manager to easily move them, if you have one.

You may also use an anti-virus to identify and remove any malicious files, for example ClamAV does a great job - BillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don't forget to update the anti-virus' signatures first, if needed.

This same explanation but step-by-step to make it easy:


  • Identify malicious processes: use top or check the PID in BillGates' config files;
  • Kill malicious processes: use kill -9   to kill any of its processes;
  • Remove malicious files and folders, see the sections above;
  • Replace potentially hijacked files and restore them to their original location, see also above:
  • Identify any malicious tasks and delete them as indicated above;
  • Run top again to verify there are no malicious processes left;
  • Run an anti-virus or anti-malware as a secondary opinion;
  • Change your passwords, better be safe than sorry!

Conclusion

While Linux/BillGates may not be the biggest player on the market anymore, or even not as popular or common nowadays, the threat still exists, just like Xor.DDoS.

Practice proper security hygiene and take appropriate preventative measures.

In the resources section below, you may find additional useful links.


Resources

Saturday, November 4, 2017

CrunchyRoll hack delivers malware


Introduction

There's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:

PSA : Don't enter crunchyroll.com at the moment, it seems they've been hacked.

As mentioned before, Crunchyroll offers anime streaming, and in their own words:
Enjoy your favorite anime & manga at the speed of Japan

The German Crunchyroll team has additionally issued the following warning:



The official CrunchyRoll Twitter account has tweeted the following:



If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click here.


Update:  CrunchyRoll has announced, after a few hours, that the issue is resolved:



However, I still advise you to scroll over to the disinfection or removal section. Any questions, feel free to leave a comment, or contact me on Twitter.



Analysis

So, what happens when you visit the CrunchyRoll website? Curently, you get a message the website has encountered an error:

Figure 1 - CrunchyRoll error page

Earlier today, the CrunchyRoll website was showing the following:

Figure 2 - Likely hacked CrunchyRoll website (Image source)


While the CrunchyRoll team claims it was a DNS hijack, I have (so far) found no evidence as to the validity of this claim, and it rather appears someone was able to hack the website.

Either way, while this is bad, CrunchyRoll took swift action by taking down the website, and an investigation is under way.

What happens if you click the 'Download now' button? A new file, called CrunchyViewer.exe, will be downloaded from the following IP address:

109.232.225[.]12

This IP appears to have hosted fake antivirus software or similar in the past:

Figure 3 - Older resolutions (2010)

The newly download file is seemingly the legitimate CrunchyViewer or Crunchyroll, but, near the end of the file, there is a chunk of Base64 encoded data appended, as seen in Figure 4:

Figure 4 - base64 encoded data (click to enlarge)

Using a Base64 decoder, we get a new file, called svchost.exe. This binary will place a copy of itself in the current user's %appdata%\roaming folder, for example:

C:\Users\Yourusername\AppData\Roaming\svchost.exe

This file will periodically call to its C2, or command-and-control server, and wait for any commands:

145.239.41[.]131

Currently, it does not appear the C2 responds on that specific port (6969), however, it is online.

There are claims the malware will additionally install ransomware - I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger - malware that can record anything you type, and send it back to the attacker.

Update: It appears however, thanks to ANY.RUN for the heads-up, (analysis here) that the malware actually downloads Meterpreter, which is a default Metasploit payload.

More information about Meterpreter can be found here, but basically, it can be viewed as a backdoor, as it allows the attacker to completely control your machine. However, it does appear the C2 server only downloaded Meterpreter for a limited amount of time - as port 6969 only responded within a specific time-frame.

Note that the disinfection or removal tips are still applicable in this case.

Svchost.exe will also create an autorun entry:

Figure 5 - newly created run key (click to enlarge)

This basically means the malware will start every time you (re)boot or restart the machine.

Just for fun, it appear that the miscreant's name, or the person responsible for creating the malware is named Ben, as appears from the debug paths:

C:\Users\Ben\Desktop\taiga-develop\bin\Debug\Taiga.pdb 
c:\users\ben\source\repos\svchost\Release\svchost.pdb

Taiga is 'A lightweight anime tracker for Windows'. This does not mean they are involved, but rather that 'Ben' has decided to include Taiga in the package.

Update: the developer of Taiga has included a fix for 'CrunchyViewer':
https://github.com/erengy/taiga/issues/489

Thus, if you now update or install the official Taiga application, it will prompt you if the malware is found, and is able to remove it.


Disinfection/Removal

Disinfection is rather straightforward:


  • Remove the malicious "Java" Run key, by opening Regedit, and browsing to:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Delete the 'Java' key;
  • Reboot your machine;
  • Remove the malicious binary, by navigating to:
    %appdata%\Roaming (for exampleC:\Users\Yourusername\AppData\Roaming\)
  • Delete the 'svchost.exe' file.
  • Perform a scan with your installed antivirus product;
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
  • Change all your passwords if possible. Better be safe than sorry.



Prevention


Prevention  advise in general, which also pertains to CrunchyRoll's compromise:

  • Install an antivirus;
  • Keep your browser up-to-date;
  • Install NoScript if you have Firefox;
  • Install a 'well-rounded' ad-blocker, for example uBlock Origin (works with most browsers);
  • If a website you visit frequently suddenly looks completely different, or urges you to download whatever, be safe rather than sorry, and leave the website.
  • Additionally, try to Google or use social media to verify if anyone else is experiencing the same issue.
In this particular case or incident, you may also want to block the two IP addresses as described in this blog post, by adding them in your firewall, or adding them in your hosts file, like so:

127.0.0.1 109.232.225.12
127.0.0.1 145.239.41.131

For more information on how to do that, read:
How to Edit Your Hosts File on Windows, Mac, or Linux

Note that there needs to be at least a space between 127.0.0.1, and the address you want to block.



Conclusion

This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user's machine.

While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after. At this point, it is best to monitor their Twitter account, and/or wait for an official statement.

If you have not executed the file, you should be safe. Simply delete the downloaded file.

Note that I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Update: the second-stage payload was the default Meterpreter by Metasploit. Updated analysis above. This does not affect or change the disinfection or removal steps.

Follow the prevention tips above to stay secure. Any questions or feedback? Feel free to leave a comment, or reach out to me on Twitter.



IOCs


Wednesday, October 25, 2017

Comparing EternalPetya and BadRabbit


I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).

I have decided to not include WannaCry (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.

Use freely, as long as you include a link to the original source, which is this blog post.

Comparison table (click to enlarge)



Download the table / comparison sheet

Additionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:
EternalPetya_BadRabbit_Comparison

Note: this table or sheet will be updated continuously.


Purpose of BadRabbit?

Again, this makes you wonder about the actual purpose of ransomware, which you can read more about here: The purpose of ransomware

For BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption and extortion.


Prevention 

As for any prevention advise, have a look at the following page I've set up:
Ransomware prevention


Disinfection and decryption

Unfortunately, decryption is likely not possible without the cybercriminal's private key.

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva


Any questions, comments or feedback, please do let me know in the comments section below, or send me a message on Twitter. See also my About me page for other contact details.



Saturday, October 14, 2017

Notes on Sage 2.2 ransomware version


Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.

There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".

Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2

Sage 2.2 appears to have been out for a while, at least since February of this year:


Some figures of Sage 2.2 follow below:

Figure 1 - Sage 2.2 desktop background



Figure 2 - Sage 2.2 file recovery instructions

The message reads:

You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.

Typical features of Sage 2.2, include, but are not limited to:

  • Refresh or update of payment pages is possible;
  • Ransom note (!HELP_SOS) and portal, including CAPTCHA;
And...

It speaks! Just like Cerber did at some point, Sage 2.2 has a message for the victim using Microsoft SAPI:

Figure 3 - VBscript which will speak to the victim (click to enlarge)

Interestingly enough, even though the version number still indicates 2.2, there's at least one slight change:
  • Deletion or purge of backup catalog/history by using:
    wbadmin delete catalog -quiet

The portal or decryption pages look as follows, stepping through:

Figure 4 - Sage 2.2 user login portal


Figure 5 - Captcha

Figure 6 - Language selection


Figure 7 - Final portal

The victim can choose from a multitude of languages, and, at the final portal, there is a special price for the decryption, for a selected time (7 days): currently 0.17720 BTC, which is about $1000.

As usual, there's a Payment, Test decryption, Instructions, and even a Support tab:

Figure 8 - Payment tab
Figure 9 - Test Decryption tab

Figure 10 - Instructions tab


Figure 11 - Support requests tab




Sage 2.2 will append the .sage extension to encrypted files and currently, it does not appear files can be decrypted without the cybercriminal's help.

As always, try to restore from a backup if possible, and avoid paying the ransom.

Additionally, have a look at my ransomware prevention page, on how to protect yourself.



IOCs