TorrentLocker’ – new damage of Ransomware using components of CryptoLocker and CryptoWall!

torrentlockerThe cyber crime is regularly monitored by iSIGHT Partners from underground along with tracking some new vulnerability and their exploitations. This cyber threat intelligence service was built since 7 years on well oil based process and also with technology platform which is based on a formal intelligence lifecycle. Apart from the service of ThreatScape clients, we offer access to analyst tem of ours which is for enquiry and clarifications along with reverse engineering and analysis of malwares samples so that it can aid our clients in their own research processes.

With the help of own research and client inquiry, it has been recently analyzed about a malware sample from a phishing campaign. This malware is a new type of ransomware which uses components of CryptoLocker and CryptoWall but all with different code from the two ransomwares families. Because of all these, “TorrentLocker” has been made so that it can analyze the below.

Key Points:

  • TorrentLocker mainly uses the themes and naming from CryptoLocker and CryptoWall bugs but it is also totally different in code level and is believed to be a new damage to ransomware.
  • This malware connects to a command and control server first which is over a secure communications and after that exchange the certificate just before the encryption of malware.
  • Generally the malware uses Rijndael which is an algorithm for file encryption. This can use a password which is either stored locally or get back from the remote attackers server for encryption.

Executive Summary

TorrentLocker is something a new type of damage which appears to use components of CryptoLocker and CryptoWall but from the two ransomware families, the code is totally different. In spite of its unique code, malware suggest this to victims and states that it is CryptoLocker which is much similar which is used by CryptoLocker. If you notice then you will see that the design of ransom page is very closely aligned with CryptoWall. This is done by malware which installs itself on the machine infected and injects a binary into a legitimate process. All these injected binary has the function to encrypt the files using Rijndael algorithm. As soon as the file is encrypted, the victim gets a message along with a decryption deadline. After that the victim has to purchase bitcoins from a specified Australian Bitcoin websites.

Malware Capabilities and Targeting

TorrentLocker has not introduced new capabilities for those who have already observed in the presented ransomware like CryptoLocker, CryptoWall etc. It infects the victims through spam, while communicating with its command and control (C&C) server before encrypting and after that it demands payments to remove the affected files.

Generally, TorrentLocker distribution targets the Australian entities. However, the malware may have been built by someone who is living in Australia and who used the currency along with the website links that are most familiar to him.

Future Outlook

While the TorrentLocker introduces no new capabilities to those who have previously observed ransomware, the malware introduces some of the interesting approach of spoofing components of other ransomware samples. The partners of iSIGHT consider that the use of this malware will not grow significantly because there is a lack of distinguishing features. Furthermore, TorrentLocker communicates with its C&C before encrypting its victims’ files, and the same way CryptoLocker communicates with its C&C

Behavior on Infected System (Dynamic Analysis)

The malware begins with the duplicate process which is likely due to permissions on the local machine that prevent modification to the before one that is running explorer.exe. The launching of a duplicate copy of itself is same as the malware’s has attempted to avoid and puzzle analysts by debugging the malware. It does not emerge to provide any added features. Moreover, the binary injected into explorer.exe was originally named rack-core.bin, that explains some of the strings seen in the binary such as “rack_install,” “rack_uninstall” and “rack_display_crypto_info.”

If the malware wants to begin encrypting files, then it needs to have an active Internet connection. Firstly, the malware will reach out to a domain that is hardcoded into the malware so to check for connectivity. After that it will send the data to the IP address by hosting the domain along with the exchange certificate information over a secure connection. If the process is successful then the malware starts encrypting files and will prompt the user when it finished with a ransom message.

Ransom message masquerades as CryptoLocker

IMAGE-1

FAQ for TorrentLocker (similar in look to CryptoWall)

IMAGE-2
After hitting on the “Restore Files” link, the user is prompted to buy the decryption software.

IMAGE-3

Therefore the only payment authorized for this malware is Bitcoin. The site lists several .au Bitcoin sites to use for purchasing bitcoins as well as a Bitcoin wallet to which victims should send funds:

IMAGE-4

The address of Bitcoin used in the analyzed sample will be relatively getting low amounts of traffic compared to those which are associated with other known ransomware.

blockchain.info statistics

IMAGE-5

In addition to purchasing the decryption software, victims can request a single file be decrypted by submitting it to the attackers’ website:

IMAGE-6

The website contains two additional pages, which include one for contacting the attacker through a web e-mail submission form. The other page is a donation page.

Registry Modifications

• Key: HKCU\Software\Bit Torrent Application\Configuration1000000
• VALUE: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ……….ÿÿ..
• Modification: ADD
• Note: Copy of malware in hex format

• Key: HKCU\Software\Bit Torrent Application\Configuration2000000
• VALUE: 43 00 3a 00 5c 00 57 00 – 49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O…
• Modification: ADD
• Note: Location of the installed copy of the malware. In this case C:\WINDOWS\ykykddin.exe

• Key: HKCU\Software\Bit Torrent Application\Configuration3000000
• VALUE: da 7b a7 7a 64 b1 cf 01
• Modification: ADD
• Note: Crypto key

• Key: HKCU\Software\Bit Torrent Application\Configuration4000000
• VALUE: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 <!DOCTYPE html P
• Modification: ADD
• Note: HTML document containing the ransom message

• Key: HKCU\Software\Bit Torrent Application\Configuration5000000
• VALUE: [Encrypted file count] • Modification: ADD
• Note: After encryption, stores the number of files encrypted. This data is transmitted back to the C&C and will be displayed to the user when visiting the ransom page.

•Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\elwpuhop
• VALUE: C:\WINDOWS\ykykddin.exe
• Modification: ADD
• Note: Autorun Registry Key

Leave a Reply

Your email address will not be published. Required fields are marked *