New CryptXXX Variant Discovered

By Caleb Fenton -

Summary

A new version of the CryptXXX family of ransomware has been discovered which is spreading through spam and perhaps other means. This latest iteration fixes flaws in its file encryption methods which prevents use of free decryption tools and makes it impossible to decrypt files without paying the ransom.

CryptXXX is an actively developed ransomware family. At the time of writing, this particular variant has led to the ransom payment of about $50,000 worth of Bitcoin. With this kind of success, it’s likely we’ll continue to see this family and other ransomware families continue to grow and evolve. Some factors which may contribute to this are the increasing reliance on computers to store and process valuable information and the increasing popularity of Bitcoin which is semi-anonymous, works globally, and is difficult to regulate because it’s completely decentralized.

Packed Sample

  • Filename: F0F3.tmp.dll
  • File size: 310,272 bytes
  • MD5: a89f7c458d358615f2d3f0642141febb
  • SHA-1: 30fcabddf49cc4d8f153f25dcf30e8aec1ac7161
  • SHA-256: fdbeed00cacca229607aa70ee3538c92d57bab7b29cbce0f1c05c1f84c68aa20

Unpacked Sample

  • File size: 165,867 bytes
  • MD5: 995e646c3422407227da96ca888ea324
  • SHA-1: 41706d9153eef3a2f5795e58a334b00fa3f40e8d
  • SHA-256: d9888e38a2f813139331dbac1f07fede19c784a4c2212cff8c17c83a40a2f84d

Similar CryptXXX Sample SHA-1 Hashes

  • 1b7fb5c5b9a7e2994110945c85c955c8829183ee
  • 1ed8fc897d2fa7dcd4402b2646fb041f881fed1b
  • 2ffbc8fc585c7de745bb7cda981abc905aa37304
  • 30fcabddf49cc4d8f153f25dcf30e8aec1ac7161
  • 3c3fc89bb266a79b24c5346fbab879694d2b125e
  • 4c505c31a34b4292875d8590e90c9f09bd76ab04
  • 509a607e614472dbe1f549c45fd63b0b8c5cd905
  • 6514f4e8d9cdc36ba0f944c8ae066208e9bf7c38
  • bbd87b53472c990e9e41e4fcfd3a1b3162f14b6a
  • df31afdc271d968bf001dfdada2ffb87f00ed59a
  • e2b49178abfb1f1c731f74c884d30c60769de696
  • e40f9fabac42822304066725bf0710c2854f91f1
  • fac67e02f3929d9c0dd230aed19192143bededea

A quick check of the malicious DLL’s properties reveals it’s using what appears to be the details of a legitimate DLL named _BigBang.dll from a product called CyberLink PowerDVD Cinema. After hunting down a legitimate copy of _BigBang.dll, though of a slightly older version, it’s clear that the details have been copied exactly.

_BigBang.dll

  • MD5: ea6586e9ba709a18901ae0434d59c3f4
  • SHA-1: f914db2bb213d7bb5af9bc3a4c10d868e9a32075
  • SHA-256: 275ebe2a72951737a3502d00f967c87d4f2fba03c4828d27270ab0f88a4d8f65

We’ve shown in another CryptXXX blog post that a previous sample of CryptXXX copied the details from a legitimate Microsoft DLL. The perfect fidelity of the reproduction of these details seems to suggest that the process is performed programmatically, perhaps as part of the build or distribution process.

The unpacker’s imports looked mostly benign, with only a few crypto-related functions to raise an eyebrow.

The list of exports is unusually large for a program with seemingly no actual legitimate functionality:

In both imports and exports there are many functions related to image processing which do not seem to serve any real purpose. Further, the imports and exports are completely different from those of the legitimate _BigBang.dll. It may be safely assumed these functions are present to thwart analysis.

Unpacker Behavior

The unpacking happens by allocating memory for the encrypted payload with VirtualAlloc and then copying over the encrypted bytes.

After that, the payload is decrypted, but it is still compressed.

I was looking for an “MZ” header but instead found “M8ZP8” and a partially readable “This ? progr3am …” string common to all Windows executables. The “M8ZP8” header is consistent with aPLib compressed PE file. This Python script contains an implementation of the algorithm and a technical description of how it works. I dumped the memory segment containing the compressed payload, trimmed all but the last null byte and successfully decompressed it using the aforementioned Python script. The resulting file could be analyzed in IDA but was not complete and did not contain a valid import table.

Once the payload is decrypted, the unpacker creates a file at the path C:\PROGRA~2\Z (c:\ProgramData\Z). Then, the file is checked using kernel32.GetFileType to determine if it’s a FILE_TYPE_CHAR. If it is, the code eventually terminates without executing the malicious payload. After that, the current time, file name, and \r\n are combined into a string and written to the Z file. For example:

The file is deleted shortly after the string is written to the file. It’s not clear what the purpose of this is. It could be to create noise in the API calls to deter analysis.

Next, the unpacker determines the location of the Startup by querying the registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup. By default, on Windows 7, this path is C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. This path is used by the unpacked code to place an HTML ransom note which is opened whenever the computer is started to ensure the victim knows how to recover their files.

The analyzed sample was originally executed from a Windows shortcut (.lnk file). The shortcut points to rundll32.exe F0F3.tmp.dll,MSX3. Arguments for rundll32.exe can be delimited by commas or spaces, and this particular command will load F0F3.tmp.dll and then execute the MSX3 function. The MSX3 function is not present in the unpacker, so it must be part of the unpacked payload. Knowing this, it was possible to dump a fully-unpacked payload by first watching calls to VirtualProtect since it’s needed to change the permissions on memory segments containing the newly unpacked code. Once there are calls to VirtualProtect on the packer’s memory segments, I created a breakpoint at GetProcAddress since it is needed to determine the address of the MSX3 function.

Shortly after the MSX3 address is retrieved, execution jumps to that address and the file encryption and ransom behavior begins.

Payload Behavior

The payload appears to have been compiled using Delphi because of the existence of a CODE section (rather than .text). It also contains several imports which seem to be used for DNS, POP3 and SMTP. However, these functions are called through a different entry point than MSX3.

The victim’s files are encrypted using a combination of RSA and RC4. The encrypted versions of the files have a file extension of .cryp1. The previous version of CryptXXX used .crypz and the version before that used .crypt. Also, previous versions had a flaw in how they implemented the encryption which allowed certain tools to decrypt the files without having to pay the ransom. However, this version does not have this flaw.

Ransom notes are created in each folder where a file is encrypted. One is in text and the other is in HTML. The text ransom note contains the following:

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

All your files are encrypted.

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

ID: RANDOM-ID-123

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

http://hn5fbbc4pyz77xfa.onion.to
http://hn5fbbc4pyz77xfa.onion.cab
http://hn5fbbc4pyz77xfa.onion.city

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Download and install tor-browser https://torproject.org/projects/torbrowser.html.en

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

TorURL: http://hn5fbbc4pyz77xfa.onion

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Write down the information to notebook (exercise book) and reboot the computer.

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

When file encryption is complete, all shadow volume copies are deleted which prevents restoring from backups.

It also displays this ransom screen:

To further warn the user, two files are created in
C:\Users\<username>\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ with the names <RANSOM ID>.html and <RANSOM ID>.bmp. This causes a slightly different version of the ransom note to appear when the machine is rebooted. It appears as:

Navigating to the directed payment page gives us this login prompt which boasts and impressive number of locales:

After logging in with the assigned ransom ID, this page is displayed.

This page contains all of the necessary information and instructions for someone unfamiliar with Bitcoin to be able to purchase them and pay the ransom.


The page also sports a limited test decryption service:

This is a good idea from a psychological standpoint since the malware authors know that people are more likely to pay for something if they know that it will work. This tool allows their victims to confirm decryption is possible, but doesn’t allow them to decrypt any sizable file since there’s a limit of 512 KB.

C&C Server Analysis

The two C&C servers are:

  1. 85.25.194.116
  2. 188.0.236.7

Reverse DNS shows that these hostnames at one point pointed at 85.25.194.116:

Date Seen Host
2016-06-02 carspot.co.in
2016-05-27 astra1767.startdedicated.net
2016-01-25 www.capitalsend.info
2016-01-24 bikespot.in
2016-01-23 ns1.capitalsend.info
2016-01-23 ns1.investmentreply.info
2015-12-20 capitalsend.info
2015-11-24 investmentreply.info
2015-10-29 www.investmentreply.info
2015-07-09 pure-send.com

The three main top level domains which seem to be associated are:

  1. capitalsend.info
  2. investmentreply.info
  3. pure-send.com

The others do not appear related, at least on a first pass.

The following domains were registered by “[email protected]” which is the same email address as the one for capitalsend.info.

  • anlegersmart.com
  • communicationsdigest.com
  • fininvest.info
  • finreply.info
  • finstock.info
  • sharefinance.info
  • sharefinancial.info
  • sharehold.info
  • smartanleger.net
  • spamerlist.com
  • yourspamshield.com

Interestingly these domains also share a similar theme as those associated with the C&C IP address: investment, finance, and spam.

A file named unsubscribe.php is known to have been downloaded from the 85.25.194.116 IP address. Given the name and the comments on VirusTotal, it seems likely it’s associated with a spam campaign. This suggests that one distribution method of this new CryptXXX version may be through spam.

Ransom Payment Analysis

The ransom Bitcoin address is 18e372GNwjGG5SYeHucuD1yLEWh7a6dWf1.

This address has received over 70Ƀ (Bitcoin) from 6/4/2016 to 6/21/2016 over 61 transactions and all received transactions are either for 1.2Ƀ, 2.4Ƀ. This would indicate that this address is used purely for ransom payments and has affected 61 individuals or organizations in those 17 days.

The total amount in USD paid can be calculated by averaging the Bitcoin price over the the past two weeks to be around $500 USD (most transactions happened before rally of Bitcoin to >$700). The total ransom paid comes out to be about $35,000 (500 * 70). At current Bitcoin prices, the ransom paid thus far is worth ~$49,700 at $710 USD per 1 XBT.

While the consistent transaction amounts would suggest that all transactions to this address are for CryptXXX malware, it’s impossible to be certain. Also, multiple addresses may be used for this malware family. Since this address didn’t have any activity until 6/4/2016, it’s likely that one new address is being used per version or campaign.

Funds at that address are regularly swept to a new, unique address which suggests they may be using a Bitcoin tumbler to mask where the coins are flowing.

Want to know what to do about Ransomware? Read this short paper on steps you can take today. Or watch our webinar on the fundamentals of Ransomware with Jeremiah Grossman, Chief of Security Strategy.