Threat focus: CRYPTOWALL4
Continuously updated malware
Original article: http://blog.talosintel.com/2015/12/cryptowall-4.html
0x00 Abstract
In the past year, Talos has spent a lot of time studying the operating principles of ransomware, managing it with other malware, and its economic impact. This research is of great value for developing detection methods and cracking attacks by attackers. CrytoWall is a malware. In the past year, it was first upgraded to CryptoWall2 and then to CryptoWall3. Although everyone is trying to detect and destroy its attack behavior, this malicious software developer is still very powerful and has improved some skills. Then, the CryptoWall4 version is released.
In order to ensure the most effective detection, Talos reversed CryptoWall4 to understand its behavior, as well as the differences after the upgrade, and shared our research results here.
Readers may be unfamiliar. ransomware is a malware that locks User Files (such as photos, documents, audio files, and so on) and encrypts them. The user needs to send a ransom to decrypt these files and view the contents. Generally, ransomware is infected by phishing emails. The core functions of CryptoWall4 remain unchanged. encryption of user files requires ransom decryption. However, Talos has discovered some new features. For example, the encryption algorithm has changed, and CryptoWall4 has added a new technology to disable and delete all Windows automatic backup mechanisms. It is basically impossible to restore files without external backup.
We also found that CryptoWall4 uses some undisclosed APIs to obtain the local language settings of the intrusion host. The new features of CryptoWall discovered by Talos will be elaborated in later articles.
For experienced readers, we recommend that you continue reading in the afternoon. We strongly recommend that users and enterprises follow security regulations and adopt multi-level detection methods to avoid risks. Our in-depth analysis of the new version of CryptoWall gives us technical support to protect users and determine better detection solutions. Finally, the FBI declared that the user could not pay the ransom. Talos strongly recommends that users do not pay ransom because this will directly benefit this malicious action.
0x01 Infection
CryptoWall operators use phishing and drive-by-download to spread their malicious programs to users. Once CryptoWall4 is successfully run, an RSA public key is downloaded from the C2 service. Then, all files are temporarily encrypted by the AES key, and then the downloaded RSA key is encrypted. You will be notified in three different ways that you are encrypted. The first is a batch file, the second is a .png image, and the third is an HTML document. All are automatically opened from the victim's desktop. As shown below.
FigureA.1
FigureA.2
FigureA.3
FigureA.4
FigureA.5
An interesting discovery is that once CryptoWall4 cannot retrieve the RSA public key from the C2 server, it will continuously download the public key. As long as the public key is not available, CryptoWall will not damage the victim's computer. Talos also observed that this sample also had some additional security checks. For example, if the language on the victim's machine is not supported, the infected process is automatically terminated. The following language settings will not be infected:
Russian, Kazakh, Ukrainian, Uzbek, Belarusian, Azeri, Armenian, Kyrgyz, Georgian.
Obviously, attackers want to exclude some areas from infection.
The infected process is described as follows:
Figure B
Starting from the "Delete all shadow copies" shown, CrytoWall4 has been injected into the svchost process. This process is injected to bypass UAC by obtaining higher permissions on the victim's machine. Only when you have the permission can you silently delete all system backups. Otherwise, a UAC will prompt you to handle them.
C describes its network communication. It uses the HTTP protocol, but encrypts the payload. D and fig E
Figure C
Figure D
Figure E
CryptoWall4 uses a new file name generation algorithm to name the encrypted file:
Scan the disk drive, exclude the disk drive in the white list from getting the original file from the directory, and then skip the file name and extension in the white list to generate a random File Name Length (5-10) the file name is constructed by a random 'a-Z' and the length is 3. (First obtain a random number ranging from 0 to, then modulo 26, and then change it to a letter of 'a-Z') the name string ends with Null. a Random Number num1 is obtained between size/2 and size. (Size is the file name length) Remove a random number num2 from one num1 (num2 determines the number of random numbers inserted into the file name string next) obtain a random 0-9 (char type), insert it to the random position of the file name and repeat Step 8. num2 uses the same algorithm to generate the extension, but the length is 2-5 after the file name is added with the extension.
CryptoWall4 uses the CRC32 Verification Algorithm to Exclude directories, file names, and extensions. The following are some whitelists:
Extensions:
Exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf
Directories:
Windows, temp, cache, sample, pictures, default pictures, Sample Music, program files, program files (x86), games, sample videos, user account pictures, packages
Files:
Help_your_files.txt, help_your_files.html, help_your_files.png, thumbs. db
The complete whitelist is Appendix A at the end of the article.
These directories, file names, and extensions in the whitelist are designed to ensure the stability of the operating system. This means victims can continue to pay ransom with their computers. Any infected user should remember that the encryption will run automatically after the next boot, and then any newly created files will be encrypted once.
After the file name of the new file is generated, its encryption algorithm F: this clearly tells us that after CryptoWall4 encrypts the file, if there is no RSA private key to restore the AES key, it is basically impossible to restore a file. However, the private key only exists on the attacker's computer and is not transmitted to the user's computer. In other words, users cannot restore files without paying a ransom to obtain the private key. Users should back up their important files to ensure that they can be restored without paying ransom after such attacks.
Figure F
0x02 subject
Virus program subjects are compressed and protected by different shells. The shells contain a lot of junk code, useless API calls, and code obfuscation techniques, such as using random APIs, the parameter is still strange.
Figure G
The second layer of protection uses a code in the form of staggered jump:
INSTRUCTION 1INSTRUCTION 2JNO nextSteo
0x03 extract code
The main code is very similar to the previous version of CryptoWall: first, construct your own IAT, obtain the required system call and create your own main event object to manage process synchronization (the name is MD5 of workstation ). This event has two goals: prevent other CryptoWall4 processes from running during execution and implement synchronization for different processes related to infection. This code is written into a process named "zookeeper er.exe. The actual code injected into the target process uses one of the two technologies:
ZwCreateSection and ZwMapViewOfSectionZwAllocateVirtualMemory, ZwWriteVirtualMemory and ZwProtectVirtualMemory
Finally, the Code is relocated. Two different technologies are used for injection:
Use the internal API ZwQueueApcThread to inject the APC queue to the classic CreateRemoteThread method of the target process.
The code that is finally injected into the new host "explorer. exr" process will be executed and then the system will be infected with CryptoWall4 for continuous infection. The Program subject is copied to the % APPDATA % directory, and then added to the "Run" key value in the user root directory to enable the program to automatically start upon startup.
Virus programs use a method that has not yet been detected to disable restore points of all systems, and back up data in windows. Call SRRemoveRestorePoint first, and then the parameter is 0-1000 until the method returns ERROR_INVALID_DATA. It sets the "DisableSR" key value in the path of HKLM \ Software \ Microsoft \ Windows Nt \ SystemRestore to 1, thus completely disabling system restoration. Finally, it starts to execute the standard command to delete the storage backup:
#!bashvssadmin.exe Delete Shadows /All /Quiet
The following process is in the "cmdsvchost.exe" process. The code will recreate the IAT table, create another event (only used in "svchost. ext"), and then form and open your own configuration file. This step often fails because the configuration file does not exist yet. Dropper open and decompress its own C & c url list (using the LZ compression algorithm ). Finally, it tries to send a broadcast to connect one of the C & C servers.
You can find the list of C & C servers used by malicious programs in the IOC segment.
The Network Package of CryptoWall4 is special, as shown below:
| Request Id | crypt7 | workstation MD5 [| subRequest Id 1 | subRequest 1 Data |... ]
At the time of writing this article, we successfully divided five different types of packages (different request IDs ).
1, 3 --- Announcement packet -- used to tell C & C server that a new machine has been infected with 7 --- Multi purpose packets. The first sub-request ID is used to distinguish different types of packets: 1-Public key request-is used to request a new Public key from C & C server, prepare 2-End announcement packet for subsequent encryption to tell the server that the infection is over. Another sub-request ID indicates how the infection ends: 1-Success 2, 3-Unsupported OS language packet-Exit
These packages are sent to the network using the standard HTTPS protocol, but are encrypted before that. The encryption algorithm is very common. A random string is used as the key to form a data stream in this format:
| Letter | = | encryption Key in Hex | encrypted stream |
For example:
S = bytes
After the broadcast process successfully connects to the C & C server, it requests to obtain the public key. Here is a shortcoming of CryptoWall4: If the firewall or IPS is good enough to intercept the CryptoWall4 package, the infection will not continue. The request ID of the RSA-2048 public key request package is 7. The packages returned by the C & C server are composed of the following:
Payment URL list base64 encrypted RSA-2048 Public Key base64 encrypted PNG Image (image determined by system language settings)
Figure H.1
Figure H.2
Figure H.3
The Public Key is decrypted using the CryptStringToBinary API. The decrypted data is stored in a global variable. HTML and text files (compressed by LZ compression algorithm) are released by dropper. The configuration files are created and encrypted and stored in C: \ Users \ [Username] \ AppData \ Roaming \ [Random 8 digits.
CryptoWall4 checks the integrity of the configuration file, including all the information required to execute malicious code. It will also ensure that even if it is interrupted, malicious programs can continue to encrypt files. This file contains many consecutive segments starting with a DWORD Value to specify the size of the segments.
CryptoWall4 stores the following information in the configuration file:
The binary stream data of the received public key is a PNG image of the HTML page that matches the user's language and the text file that matches the user's language (that is, to make the victim understand it) that matches the user's language)
After the file encryption process is completed, the last three files will be written to all directories of infected machines.
The configuration file is eventually compressed (LZ compression algorithm, RtlCompressBuffer API, parameter is 2 COMPRESSION_FORMAT_LZNT1) and then written to the disk.
If everything goes well, the main thread will be created and the previous thread will be terminated (RtlExitUserThread)
0x04 main thread
The main thread starts from importing the public key. This will parse the binary data of the encrypted public key into a data structure recognized by Windows Crypto APIs. CryptoWall4 uses the CryptDecodeObjectEx API to parse the encrypted public key. After that, the binary data is converted into a CERT_PUBLIC_KEY_INFO struct. Finally, the new data structure is imported into Crypto APIs. The function used is CryptImportPublicKeyInfo, and a xx handle is returned. It then calculates the MD5 of the public key, which is very important because it is used to check whether the victim's file is encrypted.
After that, the real encryption process starts. For each logical partition, the following check is performed:
#!cppLPWSTR pngFilePath = new TCHAR[MAX_PATH];// This produces something like "C:\HELP_YOUR_FILES.PNG"ComposePngPath(driveName, "HELP_YOUR_FILES.PNG", pngFilePath, MAX_PATH);if (!FileExists(pngFilePath) == TRUE) { // Proceed with the encryption // … … …}
Generally, if the root directory of the disk contains the HELP_YOUR_FILES.PNG file, the disk will be skipped. We don't know whether this is a bug or whether it did it. For each filtered disk, a new encryption thread is started (the parameter of the main function of the thread is a small struct, one is the public key, and the other is the pointer to the disk name string)
The main thread waits for all encryption processes to complete. Then place the three files containing decryption instructions in two locations: one is the startup directory of the Start menu, but the desktop.
Finally, an end announcement package is created and sent to the C & C server. The configuration file is deleted and the process is terminated (using ZwTerminateProc)
Figure I
0x05 encryption thread
The encryption thread has two main tasks: first, it calls "DoFilesEncryption" to encrypt all files out of the whitelist, and finally it writes HELP_YOUR_FILES.PNG to the root directory.
DoFileEncryption traverses all folders and files in the target disk directory.
When a subdirectory is encountered, the directory name is checked and CRC32 is checked to check whether it is in the whitelist (in this way, folders such as windows, system32, and temp are filtered out ). Check whether HELP_YOUR_FILES.PNG exists. If not, call DoFileEncryption. The parameter is the current directory.
The file is checked twice: the extension and file name. If it is not in the whitelist, EncryptFile is called for encryption.
The "EncryptFile" function is used to encrypt the target file. The "IsFileAlreadyEncrypted" function checks whether the target file is encrypted: Read the first 16 bytes and compare it with the MD5 value of the public key.
In this case, malicious programs generate random file names and extensions. The following is an algorithm: (use the RtlRandomEx API to obtain each printable character)
#!cpp// Generate a random valueDWORD GenerateRandValue(int min, int max) { if (min == max) return max; // Get the random value DWORD dwRandValue = RtlRandomEx(&g_qwStartTime.LowPart); DWORD dwDelta = max - min + 1; dwRandValue = (dwRandValue % dwDelta) + min; return dwRandValue;}// Generate a Random unicode stringLPWSTR GenerateRandomUString(int minSize, int maxSize) { DWORD dwStringSize = 0; // Generated string size DWORD dwNumOfDigits = 0; // Number of number letters inside the string LPWSTR lpRandString = NULL; // Random unicode string // Generate the string size, and alloc buffer dwStringSize = GenerateRandValue(minSize, maxSize); lpRandString = new TCHAR[dwStringSize+1]; for (int i = 0; i < (int)dwStringSize; i++) { DWORD dwLetter = 0; // Generated letter dwLetter = GenerateRandValue(0, 1000); dwLetter = (dwLetter % 26) + (DWORD)'a'; lpRandString[i] = (TCHAR)dwLetter; } // NULL-terminate the string lpRandString[dwStringSize] = 0; // Now insert the digits inside the string DWORD dwUpperHalf = GenerateRandValue(dwStringSize / 2, dwStringSize); dwNumOfDigits = GenerateRandValue(1, dwUpperHalf); for (int i = 0; i < (int)dwNumOfDigits; i++) { DWORD dwValue = 0, dwPos = 0; // Generated value and position dwValue = GenerateRandValue(0, 9) + (DWORD)'0'; dwPos = GenerateRandValue(0, dwStringSize-1); lpRandString[dwPos] = (TCHAR)dwValue; } return lpRandString;}// Generate a random file name starting from a file full pathBOOLEAN GenerateRandomFileName(LPWSTR lpFileFullPath, LPWSTR * lppNewFileFullPath, LPWSTR * lppOrgFileName) { LPWSTR lpRandFileName = NULL; // New random file name (without extension) LPWSTR lpRandExt = NULL; // New random file extension LPWSTR lpNewFileName = NULL; // The new file full name DWORD dwSize = 0; // size of the new filename // Check the arguments if (!lpFileFullPath || !lppNewFileFullPath || !lppOrgFileName) return FALSE; // Generate the new file name (without extension) lpRandFileName = GenerateRandomUString(5, 10); // Generate the random file extension lpRandExt = GenerateRandomUString(2,5); // Combine the new file name and extension and generate the final new file path // .... dwSize = wcslen(lpRandFileName) + wcslen(lpRandExt) + 1; lpNewFileName = new TCHAR[dwSize+1]; swprintf_s(lpNewFileName, dwSize+1, L"%s.%s", lpRandFileName, lpRandExt); // ....}
The new file is created, and a new AES-CBC 256 key is also generated by calling CryptGenKey and CryptExportKey. The 32-bit key is used to encrypt the entire file.
At this time, CryptoWall4 adopts a technique: The generated AES key is encrypted with the RSA-2048 Public key obtained from the C & C server, thus a 256-bit key is generated and can only be decrypted by attackers.
The MD5 value of the RSA public key is written to the header of the encrypted file in 16 bytes. Then, CryptoWall4 writes a 256-bit encrypted string. The attributes and size of the original file are written to the next 8 bytes. The original file name is encrypted by the AES key, and then written to the new encrypted file together with the file size.
After that, the real file content is encrypted. The original file is read kb each time and stored in a large data block. Each database is encrypted with an encryption key for AES-CBC 256 encryption. Then write the data directly to the new file (the first four bytes are the block size)
After completion, all the resources occupied by CryptoWall4 are released. The process of deleting the original file is interesting. See the following code:
#!cpp// Move the new encrypted file name in the old original position, replacing the old onebRetVal = MoveFileEx(newEncFileName, lpOrgFileName,MOVEFILE_WRITE_THROUGH | MOVEFILE_REPLACE_EXISTING);if (!bRetVal)// Delete the old file in the standard manner: DeleteFile(lpOrgFileName);else { // Rename the original replaced file in the new random file name bRetVal = MoveFileEx(lpOrgFileName, newEncFileName, MOVEFILE_REPLACE_EXISTING);}
As can be seen from the pseudocode, the disk area for storing the original file is specially rewritten, which ensures that data recovery is very difficult. This is a novel and interesting way for malicious program authors to ensure a high payment rate. Reduce the possibility of data recovery so that they can make more money. Is the structure of the encrypted file:
Figure J
0x06 Summary
In this analysis, we carefully analyzed CryptoWall4. Malicious programs do not have any innovative technologies, but there are still several technical highlights. The defect is that the infected process needs to interact with the C2 server. If the firewall or IPS can capture the data packets it uses for interaction, the infected process will not be able to proceed because it requires a public key to encrypt the victim's files. However, once CryptoWall4 encrypts the victim's file and does not pay a ransom to the attacker, there is no way to restore the private key or decrypt the file. Because the victim's machine cannot obtain the RSA private key. The private key only exists in the attacker's hands.
As our analysis shows, CryptoWall developers are constantly updating this malware to ensure it is still effective to users. In addition to threats, enterprises need to realize that attackers will constantly improve the malware. Multi-level self-protection can help enterprises monitor CryptoWall and prevent its threats. Talos will also continue to follow up on the study of CryptoWall, find better monitoring methods, and then build a better protection system for users. We strongly recommend that users and enterprises follow security regulations, such as installing system patches in a timely manner, be cautious when receiving unknown third-party information, and ensure a powerful backup. These measures can reduce the threat of these malicious programs and provide emergency measures when they are attacked.
0x07 Protection
High-level protection (AMP) can effectively prevent the execution of such malicious programs. CWS or WSA network scan can exclude malicious websites used by attackers for phishing and other attacks. IPS and NGFW are updated to provide network security protection and detect malicious software. ESA can intercept email0x08 others with malicious behaviors
IOC DETAILS
Here you can download the IOCs http://blogs.cisco.com/wp-content/uploads/cryptowall-4-iocs.txt
Sample:
3a73bb154506d8a9a3f4f658bac9a8b38d7590d296496e843503323d5f9b7801
Similar samples:
2d04d2a43e1d5a6920a806d8086da9c47f90e1cd25aa99b95af182ee9e1960b3bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2299b298b433d1cc130f699e2b5c2d1cb3c7e5eb6dd8a5c494a8c5022eafa9223
Threat Report:
Https://panacea.threatgrid.com/samples/d25f94dc4f2ac59e0428f54d685ead38
C2 URL list
abelindia.com/1LaXd8.phppurposenowacademy.com/5_YQDI.phpmycampusjuice.com/z9r0qh.phptheGinGod.com/HS0ILJ.phpyahoosupportaustralia.com/8gX7hN.phpsuccessafter60.com/iCqjno.phpalltimefacts.com/EiFSId.phpcsscott.com/YuF59b.phpsmfinternational.com/eRs70a.phplexscheep.com/OIsSCj.phpsuccessafter60.com/r_kfhH.phpposrednik-china.com/etdhIk.phpks0407.com/VoZQ_j.phpstwholesaleinc.com/yL54uH.phpainahanaudoula.com/GH09Dp.phphttthanglong.com/yzoLR7.phpmyshop.lk/6872VF.phpparsimaj.com/60wEBT.phpkingalter.com/uVRfPv.phpshrisaisales.in/ZUQce4.phpcjforudesigns.com/E8B2gt.phpmabawamathare.org/WEAbCT.phpmanisidhu.in/zJE0fD.phpadcconsulting.net/XEGeuI.phpfrc-pr.com/dA91lI.phplocalburialinsuranceinfo.com/zDJRc8.phpsmfinternational.com/AYNILr.php
Appendix
Excluded files CRC32 Checksums8E87F076h = help_your_files.txt0A73B295Ch = help_your_files.html11A8ACA3h = help_your_files.png88068F93h775DBED4h60479578h 7BD40679h = iconcache.db48F43013h = thumbs.db95ED794Ah884F3F52h7DAC63A1h4208466h0BA069E4Ch0EC619E8Dh9B0FD8B3hExcluded extensions CRC32 Checksums 6B63B6F0h = exe3DD3B336h = dll0BB5EA5C1h = pif592D276Fh = scr9E07ED22h = sys8F3272A8h = msi0A45BDDC1h = no three letter ext0B65F578Ah = no three letter ext0EB59DA68h = msp64B6C6E6h = com0C863AEB6h = hta0DEEBF8EEh = cpl6FE79BB6h = msc9F9C299Fh = bat2F5C1CC0h = cmd43F7F312h = scfExcluded directories CRC32 Checksums0E3E7859Bh = windows0B5385CAh = temp0ED4E242h9608161Ch41476BE7h = cache0F5832EB4h0D8601609h1DF021B7h0B91A5F78h = sample pictures0A622138Ah = default pictures3FF79651h = sample Music62288CBBh = program files224CD3A8h = program files (x86)72D480B3h0FF232B31h = games0A33D086Ah = sample videos78B7E09h = user account pictures9BB5C0A7h = packages24FA8EBDh