Blog

Analysis of ‘TorrentLocker’ – A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall

By

August 15, 2014

iSIGHT Partners

Analysis of ‘TorrentLocker’ –  A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall

UPDATED – 9/12/14 – 1:54 pm

TorrentLocker, as iSIGHT Partners mentioned previously, does indeed use AES (Rinjdael) encryption; however that is not the full story. Newer variants of this malware have been observed with the capability to use 128, 192, and 256-bit AES encryption. Although it uses AES encryption, the authors did make a mistake: the malware uses the same key to encrypt all files. Researchers at Nixu discovered this blunder and used it to reverse the encryption (decrypt all files on an infected host). iSIGHT Partners tested this method and it has proven effective at recovering files. Since the same key is used, the same generated key stream is applied (XOR’d) to each file, which means it is possible to recover this key stream and decrypt all files. iSIGHT Partners believes that the malware authors will soon update the malware now that the mistake has been publicly disclosed.

NOTE: iSight Partners is currently working on a follow-up blog post to show some of the changes in recent variants and will post this analysis soon. The blog will also dig deeper into the encryption routines to further validate what the Nixu researchers found as well as a couple of other items not addressed.

ORIGINAL BLOG POST

At iSIGHT Partners we are constantly monitoring the cyber crime underground and tracking new vulnerabilities and their exploitation for our clients. Our cyber threat intelligence services were built over the past 7 years on a well-oiled process and technology platform based on a formal intelligence lifecycle.  As part of our services to our ThreatScape clients, we offer access to our analyst teams for inquiry and clarification on our findings (a service called Analyst Access) as well reverse engineering and analysis of malware samples to aide our clients in their own research processes (a service called Global Response).

Through a combination of our own research as well as client inquiry, we recently analyzed a malware sample from an active phishing campaign. Interestingly, the malware is a new strain of ransomware that uses components of CryptoLocker and CryptoWall but with completely different code from these other two ransomware families. We have dubbed this new strain ‘TorrentLocker’ for reasons that will become obvious in the analysis below.

Hat tip to my colleague Jon Roose for his assistance with the analysis and this report…..

What follows is a good example of what our clients see from iSIGHT Partners when requesting our support on malware analysis – if you’re interested in learning more you can drop us a line here:

Key Points:

• TorrentLocker uses themes and naming from CryptoLocker and CryptoWall ransomware, but is very different at the code level and believed to be a new strain of ransomware.
• The malware first connects to a command and control (C&C) server over secure communications and exchanges a certificate before encrypting the malware.
• The malware uses the Rijndael algorithm for file encryption. This is a symmetric cipher and will use a password either stored locally or retrieved from the remote attackers’ server for encryption.

Executive Summary

TorrentLocker is a new strain of ransom malware that appears to use components of CryptoLocker and CryptoWall, but the code is completely different from the other two ransomware families. Despite its unique code, the malware suggests to victims that it is CryptoLocker by using a ransom message that is very similar to that used by CryptoLocker. The design of the ransom page is more closely aligned with CryptoWall. The malware installs itself on the infected machine and injects a binary into a legitimate process. This injected binary contains the functionality to encrypt files using the Rijndael algorithm. Once files are encrypted, the victim is prompted with a ransom message and a decryption deadline. The victim is required to then purchase bitcoins from specified Australian Bitcoin websites and send the payment to the Bitcoin address provided.

The malware and its configuration reside in the Windows Registry for continued persistence on the infected machine. The registry contains items such as the original binary, ransom message, install locations, autorun key and number of encrypted files.

Malware Capabilities and Targeting

TorrentLocker introduces no new capabilities to those already observed in existing ransomware, such as CryptoLocker, CryptoWall and Critroni. The ransomware infects victims via spam, communicating with its command and control (C&C) server before encrypting, and then demands payment in Bitcoins to decrypt the affected files.

At this moment, we have not verified that this ransomware is being sold on underground forums.

TorrentLocker distribution probably targets Australian entities. Alternatively though less likely, the malware may have been built by someone living in Australia who used the currency and website links most familiar to him.

• Ransom amounts are listed in Australian dollars.
• Many of the links provided by the malware for purchasing bitcoins are .au websites.

Future Outlook

While TorrentLocker introduces no new capabilities to those of previously observed ransomware, the malware introduces the interesting approach of spoofing components of other ransomware samples. This technique, whether intentional or not, may allow TorrentLocker to adopt the notoriety of CryptoLocker. It may also cause victims to assume that their files are encoded in RSA-2048, a possibly more secure encryption method than the Rijndael algorithm used to encrypt files in TorrentLocker.

iSIGHT Partners believes that use of this malware will not grow significantly due to a lack of distinguishing features. The malware lacks distinguishing features; more sophisticated malware types are already available on underground markets. Moreover, TorrentLocker communicates with its C&C before encrypting its victims’ files, the same way CryptoLocker communicates with its C&C. When CryptoLocker’s C&C was brought offline due to law enforcement activity against the Gameover Zeus botnet in June 2014, CryptoLocker samples were unable to encrypt victim devices. The same would happen to TorrentLocker if that malware’s C&Cs were taken offline.

 

Analysis of Representative Malware Sample
iSIGHT Partners analyzed a new strain of ransomware we are calling TorrentLocker. This ransomware appears to steal content from both CryptoLocker and CryptoWall, making TorrentLocker appear to be a new variant of CryptoLocker. However, the underlying code of the malware is significantly different than that of the other two lockers. The overall feel of the malware looks like CryptoWall, but the messages displayed are suggestive of CryptoLocker. It is possible that CryptoLocker’s creators have compiled this new malware, but it is not a variant of the well-known ransomware.

Static Analysis

The sample analyzed, Parcel_Information.exe, is designed to lock files on the infected system. These files are encrypted using the Rijndael algorithm (symmetric cipher). The encryption method requires a password for encryption. It is unclear whether the password is stored locally or retrieved from a remote server. It is likely that the password is generated per infection. Repeated runs of the same sample produced different encryption on the files suggesting that the password changed. Exact method of password generation has yet to be discovered.

To gain access to the files, users are prompted to pay using Bitcoin. The majority of the analysis for this sample will be shown in the behavioral analysis section below, but it is important to note some static analysis observations as listed below:

Parcel_Information.exe

 

IMAGE 1

After initial execution, the malware injects a binary into explorer.exe. A closer look at this code reveals that it displays many of the features this malware uses including C&C communications, file encryption, etc. The bulk of the capabilities are contained in this binary. The following are some of the strings from the dumped binary:

HTTP Communications using WININET.dll

o InternetOpenW
o InternetQueryOptionW
o InternetQueryDataAvailable
o InternetCrackUrlW
o InternetReadFile
o InternetConnectW
o InternetSetOptionA
o HttpSendRequestW
o HttpQueryInfoW
o HttpOpenRequestW
o InternetCloseHandle
o InternetQueryOptionA

The malware also contains strings showing some of the functions of the malware:

o rack-core.bin
o httpw_send_request
o httpw_download_data
o httpw_send_post_data
o rack_install
o rack_uninstall
o _on_before_encryption_1_work
o _on_before_encryption_2_work
o _on_encryption_work
o _set_encrypted_file_name
o _set_decrypted_file_name
o _encdec_file_data
o _encdec_file
o _enum_files_cb
o _create_encdec_thrd_data
o _encdec_thrd
o _create_encdec_thrd
o _process_desktop_files
o _process_drives
o _drop_crypto_info
o _external_display_crypto_info
o _display_crypto_info
o _rack_display_crypto_info
o _drop_file
o _routine_thrd
o _start_core

The injected binary also contains a list of known file extension types for encryption:

Image 2

The malware will disable application error checking with a flag set on:

• NoOpenFileErrorBox

Modifies security descriptor for low-level integrity with full access:

• S:(ML;;NRNWNX;;;LW)

Behavior on Infected System (Dynamic Analysis)

Upon initial execution, the malware launches a copy of itself while simultaneously injecting a binary into a newly spawned copy of explorer.exe. It is important to note that this is a legitimate copy of explorer.exe. The malware starts the duplicate process likely due to permissions on the local machine preventing modification to the already running explorer.exe. Launching a duplicate copy of itself is likely the malware’s attempt to evade and confuse analysts debugging the malware, but does not appear to provide any added features. Of note, the binary injected into explorer.exe was originally named rack-core.bin, which explains some of the strings seen in the binary such as “rack_install,” “rack_uninstall” and “rack_display_crypto_info.”

The malware installs a randomly named copy of itself in the %WINDOWS%/%WOW64% folder. Finally, the malware will create and store a copy of itself in the Windows Registry under a created folder along with other configuration data for the malware to reference. Additionally, the malware will create an autorun key in the registry.

For the malware to begin encrypting files, it needs to have an active Internet connection. Initially, the malware will reach out to a domain hardcoded into the malware likely to check for connectivity. It will then send data to the IP address hosting the domain and exchange certificate information over a secure connection. If successful, the malware begins encrypting files and will prompt the user after it has finished with a ransom message.

Ransom message masquerades as CryptoLocker

IMAGE 3

FAQ for TorrentLocker (similar in look to CryptoWall)

IMAGE 4
After clicking on the “Restore Files” link, the user is prompted to buy the decryption software. The price is listed along with the purchase deadline (note: the pricing is listed in AUD, giving further indication as to the intended target audience).

IMAGE 5

The only payment authorized for this malware is Bitcoin. The site lists several .au Bitcoin sites to use for purchasing bitcoins as well as a Bitcoin wallet to which victims should send funds:

IMAGE 6

The Bitcoin address used in the analyzed sample had relatively low amounts of traffic compared to those associated with other known ransomware. However, it is possible that the attackers use alternate Bitcoin addresses across other malware samples. The following is the current activity on the identified Bitcoin wallet:

blockchain.info statistics

IMAGE 7

In addition to purchasing the decryption software, victims can request a single file be decrypted by submitting it to the attackers’ website:

IMAGE 8

The website contains two additional pages, including one for contacting the attacker via a web e-mail submission form. The other page is a donation page. This page lists three eCurrency addresses to donate either Bitcoin, Dogecoin or Litecoin. The Bitcoin address had no transactions and the two alternate currency addresses could not be confirmed as legitimate.

Registry Modifications

• Key: HKCU\Software\Bit Torrent Application\Configuration\01000000
• VALUE: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ……….ÿÿ..
• Modification: ADD
• Note: Copy of malware in hex format

• Key: HKCU\Software\Bit Torrent Application\Configuration\02000000
• VALUE: 43 00 3a 00 5c 00 57 00 – 49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O…
• Modification: ADD
• Note: Location of the installed copy of the malware. In this case C:\WINDOWS\ykykddin.exe

• Key: HKCU\Software\Bit Torrent Application\Configuration\03000000
• VALUE: da 7b a7 7a 64 b1 cf 01
• Modification: ADD
• Note: Crypto key

• Key: HKCU\Software\Bit Torrent Application\Configuration\04000000
• VALUE: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 <!DOCTYPE html P
• Modification: ADD
• Note: HTML document containing the ransom message

• Key: HKCU\Software\Bit Torrent Application\Configuration\05000000
• VALUE: [Encrypted file count]
• Modification: ADD
• Note: After encryption, stores the number of files encrypted. This data is transmitted back to the C&C and will be displayed to the user when visiting the ransom page.

• Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\elwpuhop
• VALUE: C:\WINDOWS\ykykddin.exe
• Modification: ADD
• Note: Autorun Registry Key

Command and Control

TorrentLocker initially makes a DNS request to a hard-coded domain before further communications. If the domain is available, the malware will POST the following:

POST /gate.php HTTP/1.1
Accept: */*
Host: knowledgedbase.info
Content-Length: 71
Cache-Control: no-cache

If the malware successfully reaches a host, it begins a secure connection with the IP address hosting the domain and exchanges a certificate:

IMAGE 9

No further communications were observed from the malware itself and the only other network traffic observed was for the ransom pages.

Appendix A: Indicators

CryptoWall Images (Comparison)

IMAGE 10

Above: CryptoWall FAQ (comparison)

IMAGE 11

Above: CryptoWall Bitcoin Purchase Page (comparison)

Image 12

Above: CryptoWall Single File Decrypt (Comparison)

If you want more information on our findings here drop a line to us today and we’ll route you to the right people internally…

Tags