Showing posts with label PSCrypt. Show all posts
Showing posts with label PSCrypt. Show all posts

Monday, 7 May 2018

PSCrypt ransomware: back in business


PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.

I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malware

In this quick blog post, we'll take a look at the latest iteration of PSCrypt.


Analysis

A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.

Figure 1 - Icon

The ransomware has the following properties:


As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

The following folders are excluded from being encrypted:

Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information

This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:

.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc

As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:

Figure 2 - Batch file

What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:

Figure 3 - Ransomware note, part 1

Figure 4 - Ransomware note, part 2

The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".


The Ukrainian version is rather lenghty, and is as follows:

☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠
ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ!
Для відновлення даних потрібно дешифратор.
Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:
Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Вартість послуги складає 150$
Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.ua
Додаткова інформація:
Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.com
Более детальная инструкция по оплате: https://btcu.biz/main/how_to/buy
Увага!
Всі файли розшифровуються тільки після 100% оплати
Ви дійсно отримуєте дешифратор після оплати
Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу
Спроби самодешіфрованія файлів приведуть до втрати ваших даних
Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.
За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.
ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ:
systems32x@gmail.com - основний
systems32x@yahoo.com - резервний
Додаткові контакти:
systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин)
help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин)
Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин)
З повагою
Unlock files LLC
33530 1st Way South Ste. 102
Federal Way, WA 98003
United States

Google Translation, so pretty loose - I've made some minor corrections however:

☠ YOUR FILES ARE TEMPORARILY UNAVAILABLE
YOUR DATA WAS LOCKED!
To restore data you need a decoder.
To receive a decoder, you must pay for decoding services:
Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Service cost is $ 150
Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua.
Additional Information:
The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.com
More detailed payment instructions: https://btcu.biz/main/how_to/buy
WARNING!
All files are decrypted only after 100% payment
You really get a decoder after payment
Do not try to uninstall a program or run antivirus tools, which can complicate your work
Attempts to self-decrypt files will result in the loss of your data
Other users' decoders are not compatible with your data, as the unique encryption key for each user.
At the request of users, we provide contact with customers who have already used the services of our service.
MUST REQUEST BACK TO CONTACTS FOR CONNECTION:
systems32x@gmail.com - basic
systems32x@yahoo.com - backup
Additional contacts:
systems32x@tutanota.com - (if the answer did not arrive after 24 hours)
help32xme@usa.com - (if the answer did not arrive after 24 hours)
Additional.mail@mail.com - (if the answer did not arrive after 24 hours)

The English version is rather short and to the point:

ALL DATA IS ENCRYPTED!
For decoding, write to the addresses:systems32x@gmail.com - Basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the response did not arrive after 24 hours) 

The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.

However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. 

E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."

It also promises full anonymity.

Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes Jellyfish.jpg.docs.

Ransom note: .docs document.html
BTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Emails: systems32x@gmail.com, systems32x@yahoo.com, systems32x@tutanota.com, help32xme@usa.com, Additional.mail@mail.com

Extension: .docs

Fortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9



Conclusion

The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.

As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:

  • Do not pay, unless there is imminent danger of life
  • Create regular backups, and do not forget to test if they work

IOCs follow below.


IOCs


By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,

Wednesday, 23 August 2017

Crystal Finance Millennium used to spread malware


Earlier today, Costin from Kaspersky tweeded the following intriguing tweet:



After some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed, and provide minimal background.


Introduction

Crystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website exist online.

Figure 1 - "At this moment the site is blocked by the hosting administrator"

From the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.


Figure 2 - archived webpage of CFM's services


Moving on to the malware present on their website:


Smoke Loader

Smoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading other malware - a downloader. 

Smoke Loader was originally downloaded from:
hXXp://cfm.com[.]ua/awstats/load.exe         

Additionally, it was also mirrored at:
hXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe

Smoke Loader drops itself in a random directory inside the user's %appdata% folder, for example:
\AppData\Roaming\Microsoft\sfujsddu\

Additionally, it performs an HTTP POST request to the following domains:
contsernmayakinternacional[.]ru
soyuzinformaciiimexanikiops[.]com
kantslerinborisinafrolova[.]ru

SmokeLoader has a debug path which is likely fake, or automatically generated:
c:\backward\inch\enumeration\Atmel\neces.pdb

We won't go any further into Smoke Loader here, but there's an excellent blog post by @hasherazade over at Malwarebytes here:
Smoke Loader – downloader with a smokescreen still alive



Chthonic

Chthonic is a banking trojan and derivative of Zeus, well-known banking malware. Zeus, also known as Zbot, was leaked several years ago and has since then spawned multiple new, and often improved, banking trojans.

Chthonic uses a custom encryptor and, as a result, its payload hash will differ every time.

It was observed as a dropper from the following websites:
hXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe

hXXp://crystalmind[.]ru/versionmaster/nova/load.exe         

Additionally, it drops its payload into the user's %appdata% folder; for example:
\AppData\Roaming\Microsoft\MicrosoftStart.exe

While Smoke Loader employs totally random filenames, Chthonic tries to hide by looking like a legitimate program.

It performs an HTTP POST request to the following domain:
nolovenolivethiiswarinworld[.]com

Interestingly enough, Chthonic was spotted in June targeting a government institution in Ukraine:
Chthonic Trojan is back in nation-state cyberattack against Ukraine

Whoever's behind this Chthonic campaign however, has a sense of humour by sporting the following debug path: C:\postmaster\merge\Peasants\Billy.pdb

Chthonic will also create a simple batch file which goes through a loop and will delete the dropper and the batch file once it has installed the payload.


PSCrypt

PSCrypt, which is based on GlobeImposter, another ransomware variant, has been hitting Ukraine in the past:
https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/

Interestingly enough, the same PSCrypt campaign was spotted earlier this month by @malwarehunterteam:



This tweet suggests the attacks started as early as the 14th of August.

PSCrypt was originally downloaded from:
hXXp://cfm.com[.]ua/awstats/wload.exe         

PSCrypt will encrypt files and append an extension of .pscrypt - in order to restore your files, which asks for 3500 Hryvnia (~ EUR 115):

Figure 3 - PSCrypt ransom message
PSCrypt provides a fully detailed ransom message on how to send bitcoins to the cybercriminal, as well as a personal ID ("Ваш личный идентификатор"). The ransom note appears to have several spelling mistakes, and may not be original Ukrainian language.

Additionally, PSCrypt will remove RDP related files and registry keys, likely to prevent an administrator to clean an infected machine remotely. It will also clear all event logs using wevtutil:

Figure 4 - Batch file which goes through commands in sequential order


Whoever's behind this PSCrypt campaign also shows sign of humour, indicating an address in the US, pointing to a company called "Unlock files LLC". Such company does not exist:

Figure 5 - Unlock files LLC address


Figure 6 - Companies at the same address

Unfortunately, the Bitcoin address shows a history of already paid ransoms, dating back to the 15th of August: 1Gb4Pk85VKYngfDPy3X2tjYfzvU62oL

At time of writing, a total of 0.0924071 has been received, which is around EUR 328.

Since the first payment was on the 15th of August, this supports the theory of CFM's website being compromised at least before or on the 15th, quite possibly the 14th.

The general recommendation is to NOT pay, but rather restore files from a backup.



Conclusion

While Crystal Finance Millenium's website was hacked, it's possible its software was not affected. In the mean time, I'd advise to not upgrade or update any software belonging to the company, but rather wait for an official statement from their side.

The hacking of a company or personal website can always happen, and as such, it is important to act fast once it's happened - the (hosting) company did the right thing to take the website offline while things are being fixed in the background.

The bigger question here is if it may be a targeted attack - recently, Ukraine has been targeted heavily by not only EternalPetya (also known as NotPetya), but also by Xdata and PSCrypt. Additionally, seemingly targeted attacks had Chthonic as payload, and, as reported in this blog post, another software company in Ukraine has been compromised.

As usual, best is to wait until further data is available before making any judgments.

Prevention advise for ransomware can be found on my dedicated page about ranomware prevention:
https://bartblaze.blogspot.co.uk/p/ransomware-prevention.html

And, as always, indicators of compromise (IOCs) can be found below, as well as additional resources.



IOCs

Resources

New Cyberattack wave is launched using officialweb site of the accounting software developer«Crystal Finance Millennium» (PDF)
“Crystal Attack” analysis – behavior analysis of the “load.exe” sample (PDF)



By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , , , , , ,
Subscribe to: Posts (Atom)