StorageCrypt ransomware, a coinminer and more

Lawrence over at Bleeping Computer posted an interesting blog yesterday:StorageCrypt Ransomware Infecting NAS Devices Using SambaCryIn that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.Windows artifacts美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success!Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host...
Read more

Notes on Linux/BillGates

In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:Notes on Linux/Xor.DDoSThis post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.What is BillGates?BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.How can I identify BillGates artefacts?Please find below a table with indicators.Indicator Notes /etc/cmd.n /etc/conf.n /etc/init.d/DbSecuritySpt
Read more

CrunchyRoll hack delivers malware

IntroductionThere's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:PSA : Don't enter crunchyroll.com at the moment, it seems they've been hacked.As mentioned before, Crunchyroll offers anime streaming, and in their own words:Enjoy your favorite anime & manga at the speed of JapanThe German Crunchyroll team has additionally issued the following warning:And for our English-speaking audiencePlease DO NOT access our website at the current time. We are aware of the issues and are working on it— Crunchyroll.de (@Crunchyroll_de) November 4, 2017The official CrunchyRoll Twitter account has tweeted the following:ATTENTION ALL CRUNCHYROLL USERS!!Please DO NOT access our website at the current time. We are aware of the issues and are working on it!!— Crunchyroll (@Crunchyroll) November 4, 2017If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click here.Update:  CrunchyRoll has announced, after a few hours, that the issue is resolved:We've just gotten the all-clear to say that https://t.co/x1dBCM9X9C is back online!! Thank you SO MUCH for your patience ~ ❤️ pic.twitter.com/FQRRHowvp6— Crunchyroll (@Crunchyroll) November 4, 2017However,...
Read more

Comparing EternalPetya and BadRabbit

I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).I have decided to not include WannaCry (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.Use freely, as long as you include a link to the original source, which is this blog post.Comparison table (click to enlarge)Download the table / comparison sheetAdditionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:EternalPetya_BadRabbit_ComparisonNote: this table or sheet will be updated continuously.Purpose of BadRabbit?Again, this makes you wonder about the actual purpose of ransomware, which you can about here: The purpose of ransomwareFor BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption and extortion.Prevention As for any prevention advise, have a look at the following page I've set up:Ransomware preventionDisinfection and decryptionUnfortunately, decryption is likely not possible without the cybercriminal's private key.You may be able to...
Read more

Notes on Sage 2.2 ransomware version

Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2Sage 2.2 appears to have been out for a while, at least since February of this year:Sage 2.2 sample (at 11/58): https://t.co/XsWMsPcXsjFrom: nrcommercecom/system/config/spam1.exe - that filename... 👏More samples: pic.twitter.com/a2J157kjJk— MalwareHunterTeam (@malwrhunterteam) February 21, 2017Some figures of Sage 2.2 follow below:Figure 1 - Sage 2.2 desktop backgroundFigure 2 - Sage 2.2 file recovery instructionsThe message reads:You probably noticed that you can not open your files and that some software stopped working correctly.This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".Your files are not lost, it is possible to revert them back to normal state...
Read more

Rick and Morty episode? Nope, another CoinMiner

Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!In fact, this file is a self-extracting and password-protected archive which contains two other files:Figure 1 - two new files in the archiveOne file is indeed a legitimate video file, which features the following:Figure 2 - clipThis short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:
Read more

Malicious ad/click networks: common or forgotten threat?

IntroductionMalicious ad/click networks and ad fraud are not entirely a new phenomenon, but it is important to realize the kind of threat it may pose. Is it a common, or forgotten threat? Maybe both.In this blog post, we'll take a look at how a seemingly innocuous click network and advertiser, is actually showing some rather malicious behavior.The beginningIt all starts with the following redirect:Figure 1 - .js downloadA 'critical Firefox update' needs to be downloaded and run, with the resulting file having multiple layers of obfuscation. After deobfuscating 2 layers, we get the following:Figure 2 - malicious scriptThe script will attempt to download an .flv file from ohchivsevmeste5com, with additional parameters. While I was unable to reproduce what happened afterwards at time of writing, it would likely fetch another heavily obfuscated JavaScript, for clickjacking purposes (and this behaviour can also be deduced from Figure 1, as it persists in the browser).Clickjacking is not an uncommon phenomenon unfortunately, and is described by Wikipedia as:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on...
Read more

Crystal Finance Millennium used to spread malware

Earlier today, Costin from Kaspersky tweeded the following intriguing tweet:The Crystal Finance Millennium website in Ukraine has been hacked and distributing malware since at least August 18.— Costin Raiu (@craiu) August 23, 2017After some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed, and provide minimal background.IntroductionCrystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website exist online.Figure 1 - "At this moment the site is blocked by the hosting administrator"From the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.Figure 2 - archived webpage of CFM's servicesMoving on to the malware present on their website:Smoke LoaderSmoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading other malware...
Read more

The purpose of ransomware

Ransomware, a phenomenon now very well known, serves one ultimate and obvious purpose:Monetary gain for the cybercriminal(s).However, multiple scenario's are, in fact, possible. Consider any and all of the following:Deployed as ransomware, extortion;Deployed as smokescreen;Deployed to cause frustration;Deployed out of frustration;Deployed as a cover-up;Deployed as a penetration test or user awareness training;Deployed as a means of disruption and/or destruction.Let's go over all of these briefly:Deployed as ransomware, extortionThis has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s).In fact, ransomware is simple extortion, but via digital means.I could give 100s, if not 1000s of links as example, but this search query should suffice and show the current boom or trend in the cybercriminal landscape:https://www.bleepingcomputer.com/search/?q=ransomwareDeployed as smokescreenA very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself.This may happen more than you think and begs the question - what is the real purpose here?Ransomware is obvious: files are encrypted, warning or extortion messages...
Read more

Display Color Calibration tool DCCW and UAC bypasses

In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:DccwBypassUACThis research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your DisplayBeing inspired by Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses  :-)This has been tested on: Windows 10 and Windows 8.1 x64 and x86.Prerequisites:User has to be member of the local administrator group.UAC is ... already disabled, or at a low setting, or the user confirmed...
Read more
Page 1 of 3123