Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.
raistlin
00:00

A few notes on the recent wave of Cryptolocker attacks


A wave of cryptolocker samples hit recently, with the following interesting characteristic: besides the usual English version, there were French, Italian, German and Dutch versions.

At least the Italian one featured a very convincing translation of the emails trying to social engineer users into installing the malware, thus obtaining arguably a high success rate.

Form of propagation is an attachment in a .cab file containing a .scr executable. According to intelligence, it consists of a Dalexis dropper that eventually will install CTB-locker. 

The malware encrypts all files with extension: wm,kwm,txt,cer,crt,der,pem,doc,cpp,c,php,js,cs,pas,bas,pl,py,docx,rtf,docm,xls,xlsx,safe,groups,xlk,xlsb,xlsm,mdb,mdf,dbf,sql,md,dd,dds,jpe,jpg,jpeg,cr2,raw,rw2,rwl,dwg,dxf,dxg,psd,3fr,accdb,ai,arw,bay,blend,cdr,crw,dcr,dng,eps,erf,indd,kdc,mef,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pdf,pef,pfx,ppt,pptm,pptx,pst,ptx,r3d,raf,srf,srw,wb2,vsd,wpd,wps,7z,zip,rar,dbx,gdb,bsdr,bsdu,bdcr,bdcu,bpdr,bpdu,ims,bds,bdd,bdp,gsf,gsd,iss,arp,rik,gdb,fdb,abu,config,rgx

At the moment I don't have notice of any ways to extract the key or reverse the process. The only resolution available is to restore data from backups. A worthy attempt could be to carve the drive in hope to recover the former version of files.

A couple of virustotal sample analyses:

Runtime info for the latter:

Another runtime analysis of a similar sample:

The following connections are observed with this specific dropper:
"91.142.215.77" TCP 443
"95.211.144.65" TCP 443
"66.96.131.12" TCP 443
"mmadolec.ipower.com"
"evalero.com"
"springtree.cba.pl"

The in memory strings contain the following URLs, common to Dalexis:

"hXXp://collection-opus.fr/_gfx/cario.tar.gz"
"hXXp://compassfx.com/OLD/cario.tar.gz"
"hXXp://evalero.com/img/cario.tar.gz"
"hXXp://masterbranditalia.com/downloader/cario.tar.gz"
"hXXp://mmadolec.ipower.com/me/cario.tar.gz"
"hXXp://springtree.cba.pl/modules/cario.tar.gz"

A semi-useful IOC is the following string which seems to appear in many samples: "proftur.pdb"

Also, intelligence says that samples connect to TOR hidden service dpaqjri6tinnqleh via web2tor proxies, e.g.:
dpaqjri6tinnqleh.onion.lt 
dpaqjri6tinnqleh.onion.gq 
dpaqjri6tinnqleh.onion.cab 
dpaqjri6tinnqleh.tor2web.org 
dpaqjri6tinnqleh.tor2web.fi 
dpaqjri6tinnqleh.tor2web.blutmagie.de

Unconfirmed intelligence is the usage of 587/tcp to spam, possibly propagate.

A few hashes of samples:
SHA256 (august-bebel-str_17_15569_woltersdorf.cab) = 7efcbd21fafaa001488491599b8e0fe9235b08c523b866a06cd8d538255f9d37
SHA256 (barquiel_y_hurtado_s_l.cab) = 675e79c44d0223d63a7cf311ce59c541cb93b3e6f09e1e670b4f0fca15d71476
SHA256 (berliner_all_33_40212_dsseldorf.cab) = 8aba6e465598ee28e9a59657db3604b7ac9250352ac81fbf052ce2a373f1ef23
SHA256 (bureau_detudes_clement_sas.cab) = e99e4bc3d477654cc74dc735854a628e5bf20ba844d7abd4e45f70799d92e284
SHA256 (cariverona_banca_spa.cab) = 8b580acada5284bc8e95f8f69d66930d91c7c1c5c6a88899c102312083dd1f96
SHA256 (daimlerstr_6_71546_aspach.cab) = 675d395c361a37d0afea0010d20bca0ebfdbf8c6a18e396e1008370e955ae9a9
SHA256 (entreprises_gros-louis_roger.cab) = 1e41dafe1795b6956e2410979ee7e8c0aab20fac77594955293807c7286ddc09
SHA256 (envol_voyages_sarl.cab) = 8799ca8ecfdae3451ffbd56fd7f487bfedf9a870bf378b4f4ce13825e9462755
SHA256 (fico_tooling_bv.cab) = 97823a4065d0f8db039e5ece3a0a65a01057d0d976232abda828914fc24c458e
SHA256 (friesenstr_40_26655_westerstede.cab) = f26e80494cd83400115dc0fcb6148c65be347fe1e8339e8c2c4efefdff3013c0
SHA256 (jahnstr_18_42579_heiligenhaus.cab) = adaa38dbaecd443c48d249f04c599000fbc3653937972a67123ba2d065c03e78
SHA256 (lantania_srl.cab) = 87e11ae952e8e991f1de70511d33ae642a2d8e9602d5d54b0a5b8a6d9223f5be
SHA256 (mokrupak_verpakkingen_bv.cab) = 53f990073b7e3c68bf7a92233f4ba600619f172ffa48294eda5422077c16c206
SHA256 (pocklington_coach_works_ltd.cab) = 1671e03689b67602a9ec64395f49f16021c5b7c0c28b9f5f514705c9161006d5
SHA256 (rheinmhlenstr_7_68159_mannheim.cab) = dc7f73ec15eee49e3f88a92ae710f966f75bda62e668c71a5f9d6348b1b5dcca
SHA256 (scitec_group_ltd.cab) = d2fe2adea73466264461a05da4e0fcae41aebf57bbe0f1c0f07a9eb8edf2f80b
SHA256 (siempelkampstr_94_47803_krefeld.cab) = a1cb46f0f65607afa2304a378c17274bf4f05bfb6d6d461679b71423d77ce204
Tags: cryptolocker

Don't be the product, buy the product!

Schweinderl