Vvv virus truth

Vvv virus truth

According to the 360 Internet Security Center, CryptoLocker (a file encryption swindler) Trojans have been suspended for a period of time and are spreading infections in China at the beginning of this month. The Trojan is a variant of the CTB-Locker Trojan. After the file is encrypted, ". vvv" is added after the file name. This virus is also known as the VVV virus.

0x00 Overview

According to analysis, the core encryption function of the Trojan is rewritten according to the latest version of the notorious TeslaCrypt (Tesla encryptor, which has nothing to do with the electric vehicle manufacturer. TeslaCrypt has passed eight iterations since it was officially launched in March. The files encrypted in the first four versions can be restored using tools, but cannot be recovered from version 5th. In addition, both the 5th and 7th versions have experienced different outbreaks in China.

This virus event is mainly spread in Japan. twitter's search for "vvv virus Virus Infected" has fallen out of the sky:

In China, the virus is completely "lying down ". The reason is "Lie down the gun". In fact, it is obvious to check the other party's ransom requirements. The other party provides four so-called "personal pages" that require you to access and obtain transaction information. However, the domain names of these four websites are:

encpayment23.comexpay34.comhsh73cu37n1.netonion.to

Only the last onion. to can be accessed, but this is a "TorHiddenServicesGateway". That is to say, this is a method that uses onion routing to hide the website of the real service provider behind it, in addition, you also need to install a so-called "TorBrowser" to enter the onion network for normal browsing, so:

A few hours later ...... Then there will be no more ...... That is to say, even if I want to honestly deliver a ransom, it is also an impossible task.

0x01 Propagation

Not only are inaccessible pages, but according to our monitoring data, it also proves that this trojan is not targeted in China-the Trojan Infection volume had increased on a small scale in December, in the past few days, the spread has hit a new high. However, even if so many Trojans are active every day, there are no more than 100 Trojans. Therefore, in general, this trojan has not really "exploded" in our country.

In China, most of the users are infected with Trojans through traditional means-Email:

The email claims that you have an outstanding debt. If you do not pay the overdue payment, you will receive 7% interest. The so-called "Document Copy" in the attachment is actually this trojan. What a typical scam is: "You owe money", "You owe a phone bill", "you have not received a courier", and "you have a court summons "...... It seems that such a statement is not a Chinese patent. But how many other people will read the entire English article carefully and then click the attachment? This is the main reason for the small spread in China.

In fact, the trojan spread abroad not only through mail, but also through a part of the Web Trojan (last year's last CVE-2014-6332 and the highest rate of CVE-2015-5122 this year, the use of these two vulnerabilities) but because the websites that are frequently accessed are very different, it is rare to infect the trojan due to webpage Trojans in China.

0x02 sample analysis

The initial source of the sample is a js script disguised as a invoice

The content is a bunch of garbled characters:

After slightly adjusting its format, we can find that it is actually a bit of obfuscation of some characters and finally executed through the eval function.

Directly output the eval content log to see the actually executed code. The function is simple, just a trojan download tool.

The sample itself has a simple protective shell. After startup, it detects its own path. If it is not under % appdata %, it will copy itself and start it again. Then, it will delete the previous Trojan file, to hide itself.

After the trojan is executed under % appdata %, it starts itself again, decrypts the hidden code, and injects it into the started sub-process:

Using this method, Trojans try to bypass the scanning and removal of the traditional signature locating engine. The decoded program is the real Trojan work part:

The overall process control of Trojans is similar to that of ctb-locker:

Because this module is executed in the injection mode, after it is started, it will find the required system API through GetProcAddress:

Before the trojan is infected, it will write itself into the startup Item to ensure that it can be started again next time!

All the addresses configured in the Trojan are re-encoded to prevent analysis:

The decoded content includes the trojan control server and the information structure mentioned during key exchange:

0012DD0C   00CD1B18  ASCII "Sub=%s&key=%s&dh=%s&addr=%s&size=%lld&version=%s&OS=%ld&ID=%d&gate=%s&ip=%s&inst_id=%X%X%X%X%X%X%X%X"0012DC98   01062040  ASCII "http://crown.essaudio.pl/media/misc.php"0012DCF0   01061F38  ASCII "http://graysonacademy.com/media/misc.php"0012DD04   01061E30  ASCII "http://grupograndes.com/media/misc.php"0012DD18   01061D28  ASCII "http://grassitup.com/media/misc.php"

The key generation method is the same as that of the previous CTB-Locker, which is generated through ECDH. If there is no private token on the server, the encryption key cannot be obtained currently.

During file encryption, files with. vvv extension and files with recove will be excluded:

Encrypt the following 190 types of files:

|.r3d|.ptx|.pef|.srw|.x3f|.der|.cer|.crt|.pem|.odt|.ods|.odp|.odm|.odc|.odb|.doc|.docx|.kdc|.mef|.mrwref|.nrw|.orf|.raw|.rwl|.rw2|.mdf|.dbf|.psd|.pdd|.pdf|.eps|.jpg|.jpe|.dng|.3fr|.arw|.srf|.sr2|.bay|.crw|.cr2|.dcr|.ai|.indd|.cdr|.erf|.bar|.hkx|.raf|.rofl|.dba|.db0|.kdb|.mpqge|.vfs0|.mcmeta|.m2|.lrf|.vpp_pc|.ff|.cfr|.snx|.lvl|.arch00|.ntl|.fsh|.itdb|.itl|.mddata|.sidd|.sidn|.bkf|.qic|.bkp|.bc7|.bc6|.pkpass|.tax|.gdb|.qdf|.t12|.t13|.ibank|.sum|.sie|.zip|.w3x|.rim|.psk|.tor|.vpk|.iwd|.kf|.mlx|.fpk|.dazip|.vtf|.vcf|.esm|.blob|.dmp|.layout|.menu|.ncf|.sid|.sis|.ztmp|.vdf|.mov|.fos|.sb|.itm|.wmo|.itm|.map|.wmo|.sb|.svg|.cas|.gho|.syncdb|.mdbackup|.hkdb|.hplg|.hvpl|.icxs|.docm|.wps|.xls|.xlsx|.xlsm|.xlsb|.xlk|.ppt|.pptx|.pptm|.mdb|.accdb|.pst|.dwg|.xf|.dxg|.wpd|.rtf|.wb2|.pfx|.p12|.p7b|.p7c|.txt|.jpeg|.png|.rb|.css|.js|.flv|.m3u|.py|.desc|.xxx|.wotreplay|wallet|.big|.pak|.rgss3a|.epk|.bik|.slm|.lbf|.sav|.re4|.apk|.bsa|.ltx|.forge|.asset|.litemod|.iwi|.das|.upk|.d3dbsp|.csv|.wmv|.avi|.wma|.m4a|.rar|.7z|.mp4|.sql|

After the file is encrypted, the encrypted file is renamed and added with the vvv extension:

And other auxiliary analysis tools.

After the encryption is completed, it will be generated in the encrypted folder:

Finally, the hacker will display the ransomware page:

0x03 Last

Because, Once recruited, all the information in the machine is encrypted and cannot be recovered at all (as mentioned above, even if you are willing to pay a ransom, there may be nowhere to pay ), therefore, the vigilance of such Trojans is still very necessary. When using a computer, it is best for users to isolate and back up important files to reduce the loss of files caused by various types of virus and Trojan attacks, program exceptions, and hardware faults. At the same time, you must develop good habits and do not open attachments to unfamiliar emails at will. Install the security software with document protection functions. Do not continue to execute any programs that have risks reported by the security software.