On August 15, 2014, iSIGHT Partners disclosed our analysis of a new form of ransomware observed in the wild in active campaigns targeting victims in Australia. We dubbed this ransomware TorrentLocker. On September 4, 2014, it was subsequently disclosed and reported by researchers at ESET that the same ransomware was being used in campaigns targeting victims in the United Kingdom. Additional analysis of the ransomware was conducted and disclosed six days ago by researchers at Nixu and a flaw in the encryption was identified – making it easy to decrypt ransomed files with a tool released into the public domain. At that time, many across the research community (including iSIGHT Partners) predicted it would only be a matter of time before the authors behind the ransomware remedied this error to strengthen encryption and make the decrypt tool obsolete. Those predictions have proven accurate. Below is analysis of a new variant of TorrentLocker uncovered by iSIGHT Partners through our on-going research into the cyber crime underground.
The encryption flaw was disclosed last week and is already fixed – once again representing the extremely high pace of innovation of our collective adversaries. Within a week we were able to track, uncover and analyze this new variant – maintaining our equally high pace in providing intelligence on the threat environment. We will continue to track TorrentLocker and make new information available as it comes available to us.
TorrentLocker: New Variant with New Encryption Observed in the Wild
I would like to thank my colleagues, Cameron Sabel and Jon Erickson for their work on the below analysis…
• Recent campaigns have expanded TorrentLocker targeting to include victims in the United Kingdom as well as the previous targeting of Australian victims.
• The malware authors changed the unique Windows Registry Key from which we derived the TorrentLocker name. The new versions include added functionality to scan Thunderbird profiles to find email addresses and passwords on infected systems. This will almost certainly be used to further the spam campaign for TorrentLocker. New versions also changed the network communications and added a botnet name to the malware.
• For previous versions of TorrentLocker, encrypted files on infected systems can be decrypted using an unencrypted version of any single infected file to generate the key stream. However, the encryption method has been changed in the newest version, preventing decryption.
TorrentLocker continues to be a notable threat to a wide variety of users, and the number of infections and subsequent payment of Bitcoins suggest that the malware authors are nearly as successful as the actors responsible for CryptoLocker. Newer phishing campaigns targeting individuals in the United Kingdom have been as effective as the previous targeting of Australians. Although the percentage of infected users who pay the ransom is likely very low, the attackers are making many bitcoins from the conversions as evidenced by researching activity related to the Bitcoin wallet. It is also possible that other campaigns exist and the infections are more widespread. Significantly for those attempting to mitigate TorrentLocker infection, the malware’s encryption can be reversed on older versions by using an unencrypted copy of one of the encrypted files to generate the key stream, potentially allowing recovery of encrypted files.
Malware Capabilities and Targeting
Initially, TorrentLocker targeted Australian victims using Australia Post themed phishing campaigns and websites. The web sites would prompt the user to enter a CAPTCHA in order to get details about a shipped package. After entering the CAPTCHA, the user would be prompted to download and save a file that turned out to be TorrentLocker. Although it is possible for the malware authors to deploy other malware, we have only observed TorrentLocker at this time.
An interesting aspect of this file download is that the user will only be prompted to download the file if their IP address is originating from the targeted country. This was tested by altering lab IP addresses to originate from the targeted country and resulted in successfully downloading the malware samples. Victims have also been observed outside of Australia and the United Kingdom being targeted/infected. The likely cause of this is that the victims were infected from a malicious email attachment rather than downloading from the phishing page. Another possibility is that the victim was using a proxy service that resulted in their having an IP address consistent with the requirements for downloading the malware.
Additionally, the malware has undergone some changes since we first disclosed TorrentLocker. The unique Registry Key from which we derived its name has been changed to a seemingly random name. The attackers also included code to scrape email addresses from victim computers to use in their spam campaigns. The network communications have changed slightly and the malware authors have added a botnet name, likely for tracking purposes. Finally, the encryption method has been altered to prevent the decryption of files based on a single generated key stream. (See Encryption section)
TorrentLocker continues to pose a notable threat to a wide variety of potential victims, especially as broader distribution of the malware has occurred in recent weeks. This threat was briefly mitigated by the discovery of a method to potentially decrypt files after they have been encrypted by the malware (discussed in the Encryption section below). However, following the publicity this decryption method generated, the operators fixed the mistake. We expect that future versions of TorrentLocker will be tested more carefully by the actors in order to avoid additional mistakes that would allow for easy decryption of infected computers.
It is unclear how broadly TorrentLocker targeting will spread in the near future. While it is currently limited to Australia and the United Kingdom, it would almost certainly be trivial for the actors to expand targeting to other English-speaking countries and regions. Non-English-speaking countries could also be targets, though it is unclear whether the TorrentLocker operators have the skills or connections to craft effecting lures in other languages.
Analysis of Representative Malware Sample
iSIGHT Partners analyzed new versions of TorrentLocker that have some major and minor changes and the addition of added functionality. The general behavior and functionality of the malware remains the same as does the ransom messages and demand for Bitcoin. In the parts of this campaign extending to UK victims, the main items that change are the currency asked for and the Bitcoin purchase links. These will instead point to UK web sites rather that of Australia. The modified data and functionality will be covered in the following sections.
The malware authors have changed quite a few aspects of TorrentLocker. The significant differences will be addressed in the following sections. These new versions add some functionality to scrape the infected system for email credentials using the following:
Email Address Gathering
NOTE: The malware will look for email addresses and contacts from Thunderbird profiles. It will grab the “Primary Email and Display Name” fields.
• SMTP Port
• SMTP Use SSL
• SMTP Server
• SMTP User
• SMTP Password
• IMAP Password
• POP3 Password
• SMTP User Name
• SMTP Password2
• IMAP Password2
• POP3 Password2
• Software\Microsoft\Internet Account Manager\Accounts
• Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
• Software\Microsoft\Windows Messaging Subsystem\Profiles
• Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
NOTE: The malware will grab the credentials of the Email addresses. The uploading of the emails to the C&C server was not observed; however, it is likely the attackers have a way of uploading the emails from active bots.
Recent developments in the tracking of TorrentLocker have revealed that the malware authors have corrected the encryption blunder that allowed the decryption of files. The variant still uses AES encryption but uses a different mode, Cipher-Block Chaining (CBC), and the same key stream is not used for each file. In CBC, each block of plain text is XOR’d with the previous cipher text before encrypting (a technique known as “chaining”). TorrentLocker only encrypts the first 2MB of each file and appends 264 bytes of code to the file (more details on this discussed below). Older versions of TorrentLocker implemented the encryption poorly, meaning that encrypted files could be decrypted. iSIGHT Partners did test the decryption method for the older versions and was successful in decrypting files. The following data explains the process of decryption for these older versions.
TorrentLocker, as iSIGHT Partners mentioned previously, does indeed use AES (Rinjdael) encryption; however, that is not the full story. Newer variants of this malware have been observed with the capability to use 128, 192, and 256-bit AES encryption. Although it uses AES encryption, the authors made a mistake in some past versions of TorrentLocker: the malware used the same key to encrypt all files. Researchers at Nixu discovered this blunder and used it to reverse the encryption (decrypt all files on an infected host). iSIGHT Partners tested this method and it proved effective at recovering files. Since the same key is used, the same generated key stream is applied (XOR’d) to each file, which means it is possible to recover this key stream and decrypt all files. This encryption method is known as Output Feedback (OFB), which makes a block cipher into a stream cipher. This stream is then XOR’d against plaintext files to generate the cipher text/encrypted file.
In order to recover encrypted files, one must first XOR an encrypted file more than 2MB in size with an unencrypted copy of that same file in order to recover the key stream. The file must be over 2MB because the encryption stops after 2MB, which allows the capture of the full key stream. The key stream can then be used to decrypt all files regardless of size.
In addition to encrypting the files, the malware also adds 264 bytes of code to the end of each file. This code is unique for each infection and could be used for a variety of reasons. One of these is to allow the attackers to identify which files have been encrypted by examining the end of the file for the “signature”. Another possibility is that the attackers use this to track unique infections and the generated key stream, which they could use to track the success of infection campaigns and provide the correct decryption key after payment. If an infected user does pay the ransom, the malware decrypts the file and drops the 264 bytes of data, resulting in the original unencrypted file. On files less than 2MB, the malware will determine if the file is 16-byte aligned. If it is not aligned, then the malware will not encrypt the bytes left over (i.e. 15 bytes or less) before adding the 264 bytes of code.
Researchers have created tools available on the Internet that will allow recovery of encrypted files from older versions of TorrentLocker as outlined by the above decryption method.
Behavior on Infected System (Dynamic Analysis)
The malware still uses the main injection module called rack-core.bin, which is injected into explorer.exe. Although, some variants, when run on Windows XP, have been observed being injected into svchost.exe. The main differences in the new variants include: email address scraping, modification of the encryption method, changes in network communications, and renaming of the registry keys created. The registry names appear to be randomly generated per sample. For instance, recursive runs of the same binary produce the same registry key. The two variants analyzed have differing key names.
NOTE: Although not mentioned in our previous post, all of the variants we have observed use “vssadmin.exe” at initial execution to remove shadow copies of all files on the infected system. This is very common in most ransomware and will prevent recovery of files on the infected system.
• Key: HKCU\Software\ihymohotapuraveh\ or HKCU\Software\otogajinyzohific\
• Entries: 00000000, 01000000, 02000000, etc.
Note: Same types of entries in the registry. The main difference is the name has been changed in the folder path. This is likely due to the public disclosure of the malware.
• Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Random Name]
• VALUE: C:\WINDOWS\[malware].exe
• Modification: ADD
• Note: Autorun Registry Key
Command and Control
TorrentLocker has used two different methods for the DNS and subsequent POST requests to the attackers C&C. The initial version iSIGHT Partners analyzed did not initiate an SSL connection prior to the POST request; however more recent versions first establish an SSL connection after the DNS request and before making the POST.
One of the samples analyzed includes an encrypted POST request. For this POST we have included the decrypted content as well as a script to decrypt this data. It is interesting to note that the malware appears to check if it is running in a VM and provide a warning to the attackers C&C in the POST. However, this does not appear to affect whether the system is infected or files are encrypted. The second sample we looked at does not encrypt the POST data after establishing the SSL session. Also of note, the malware now appends a hard-coded botnet name to the content and removes the apparent VM detection check. It is possible that initial traffic for this malware was encrypted because it did not use SSL. Now that the samples all appear to use SSL, the encrypted POST data is an unnecessary second layer of protection.
See below for the network traffic:
First POST Request:
POST /gate.php HTTP/1.1
0000010: 5757 6161 5656 6f6f 2a2a 6c6c 2828 0505 WWaaVVoo**ll((..
0000020: 3030 0404 3343 0a0a 3a3a 0c0c 4e4e 7878 00..33..::..NNxx
0000030: 4949 0c0c 3f3f 0e0e 4f4f 0d0d 3939 7c7c II..??..OO..99||
0000040: 7c7c 7c7c 7c7c 7c |||||||
0000010: 3200 3600 3700 3900 4500 4600 4400 2d00 126.96.36.199.E.F.D.-.
0000020: 3500 3400 3700 3900 3000 3600 4200 3600 188.8.131.52.0.6.B.6.
0000030: 3100 4500 3300 3100 4100 4200 3400 4500 1.E.3.1.A.B.4.E.
0000040: 0000 0554 0000 0077 0061 0072 006e 0069 …T…w.a.r.n.i
0000050: 006e 0067 003a 0061 0076 006d 005f 0064 .n.g.:.a.v.m._.d
0000060: 0065 0074 0065 0063 0074 003a 0033 0032 .e.t.e.c.t.:.3.2
0000070: 0036 0020 0064 0065 0074 0065 0063 0074 .6. .d.e.t.e.c.t
0000080: 0069 006f 006e 0020 0072 006f 0075 0074 .i.o.n. .r.o.u.t
0000090: 0069 006e 0065 0020 0030 00 .i.n.e. .0.
Computer Name: [computer name]
Unique Identifer: 547906B61E31AB4E
VM Detection: warning:avm_detect:326 detection routine 0
NOTE: The encryption is an XOR operation beginning at offset 1, XORing each byte with the previous byte before modification.
Network traffic decryption can be achieved with the following script:
temp = post;
for (i = 1; i < post_len; i++)
rem = post[i];
post[i] ^= temp;
temp = rem;
Second POST Request:
00000000 50 4f 53 54 20 2f 67 61 74 65 2e 70 68 70 20 48 POST /ga te.php H
00000010 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a TTP/1.1. .Accept:
00000020 20 2a 2f 2a 0d 0a 48 6f 73 74 3a 20 6c 61 67 6f */*..Ho st: lago
00000030 73 61 64 76 65 6e 74 75 72 65 73 2e 63 6f 6d 0d sadventu res.com.
00000040 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content -Length:
00000050 20 31 33 37 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 137..Ca che-Cont
00000060 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d rol: no- cache…
Computer Name:[computer name]
Unique Identifier: 547906B61E31AB4E
Should you have any questions about this analysis – or the work we conduct here at iSIGHT Partners, please drop a line to email@example.com and we will get back to you as soon as possible. Alternatively, you can fill out a contact request form on our site by clicking here…