+ All Categories
Home > Documents > McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware...

McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware...

Date post: 27-Sep-2020
Category:
Upload: others
View: 5 times
Download: 0 times
Share this document with a friend
14
McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary TeslaCrypt is a newly crafted ransomware that encrypts the user’s files using AES encryption, and demands money for decrypting the files. This ransomware arrives on the user’s system from a compromised website, which also redirects the victim to the Angler Exploit Kit. This ransomware uses an old trick of encrypting document files such as text, PDF, and so on to force the victim to pay a ransom. McAfee Labs detects this threat under the following detection names: Ransom-FXX![Hash] Ransom-Tescrypt![Hash] Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections: Infection and Propagation Vectors Mitigation Characteristics and Symptoms Indicators of Compromise (IOC) Restart Mechanism Remediation McAfee Foundstone Services
Transcript
Page 1: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

McAfee Labs Threat Advisory TeslaCrypt Ransomware

July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html.

Summary TeslaCrypt is a newly crafted ransomware that encrypts the user’s files using AES encryption, and demands money for decrypting the files. This ransomware arrives on the user’s system from a compromised website, which also redirects the victim to the Angler Exploit Kit. This ransomware uses an old trick of encrypting document files such as text, PDF, and so on to force the victim to pay a ransom.

McAfee Labs detects this threat under the following detection names:

• Ransom-FXX![Hash]• Ransom-Tescrypt![Hash]

Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:

• Infection and Propagation Vectors• Mitigation• Characteristics and Symptoms• Indicators of Compromise (IOC)• Restart Mechanism• Remediation• McAfee Foundstone Services

Page 2: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Infection and Propagation Vectors The malware is being propagated via a compromised website, which downloads this variant of crypt-ransomware into the affected user’s system. Also, the compromised website redirects users to Angler Exploit kit. This malware also spreads via malicious links through spam emails. It will encrypt the files of the user’s system when executed.

Mitigation Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described below in the Characteristics and Symptoms section.

Alternatively, McAfee has created a standalone tool to help decrypt files encrypted by TeslaCrypt. The Tesladecrypt tool will decrypt encrypted files with the following extensions: .mp3, .micro, .xxx, and .ttt. The tool can be downloaded for free at the following URL: http://www.mcafee.com/us/downloads/free-tools/tesladecrypt.aspx

Refer the following KB articles to configure Access Protection rules in VirusScan Enterprise: • KB81095 – How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console• KB54812 – How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

TeslaCrypt ransomware drops itself and other payloads to “%appdata%/Roaming” folder with a random file name

C:\Documents and Settings\Administrator\Application Data\<random7_letters>.exe [WinXP] C:\Users\Administrator\AppData\Roaming\<random7_letters>.exe [Windows 7]

Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses.

Select New files being created and add the following file location in File or folder name to block:

• [WinXP]\Documents and Settings\[administrator]\ApplicationData\<random7_letters>.exe• [Windows 7]\Users\[administrator]\AppData\Roaming\ <random7_letters>.exe

Page 3: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Host Intrusion Prevention To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329. To create an application blocking rules policies to prevent the binary from running, refer to KB71794. To create an application blocking rules policies that prevents a specific executable from hooking any other executable, refer to KB71794. To block attacks from a specific IP address through McAfee NitroSecurity IPS, refer to KB74650. *** Disclaimer: Use of *.* in access protection rule would prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include,” the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

Characteristics and Symptoms The malware is being propagated via compromised websites, which drop this variant of crypt-Ransomware. The compromised website also redirects users to the Angler Exploit kit. When the user executes the ransomware, it encrypts the files on the compromised system. Like other ransomware, TeslaCrypt also encrypts document files such as text, PDF, and so on, but this variant of crypto locker also encrypts video gaming-related files. This variant of ransomware is using AES encryption to encrypt the user files and demands extortion money for decrypting the files. Detailed Analysis: Upon execution, this malware copies itself to the AppData\Roaming\ folder:

• C:\Users\Administrator\AppData\Roaming\iylipul.exe • C:\Users\ Administrator\AppData\Roaming\key.dat • C:\Users\ Administrator\AppData\Roaming\log.html

The TeslaCrypt ransomware is compiled with C++ compiler. After execution of this threat, the following pop-up window displays on the compromised system:

Page 4: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

The victim is then asked to follow steps to obtain the private key from the server to decrypt the encrypted files.

TeslaCrypt uses the following icons:

WinXP Win 7 When executed, the parent file creates another process of its own and also creates a thread that performs other malicious activities into the system. After creation of the thread, it terminates the following running processes:

• ProcessExplorer.exe • Cmd.exe • Regedit.exe

Page 5: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

The variant of ransomware also targets video game-related files, as shown below:

Some of the affected games and gaming software are:

• Bethesda Softworks settings file • F.E.A.R. 2 game • Steam NCF Valve Pak • Call of Duty • EA Sports • Unreal 3 • Unity scene • Assassin's Creed game • Skyrim animation • Bioshock 2 • Leagues of Legends • DAYZ profile file • RPG Maker VX RGSS • World of Tanks battle • Minecraft mod • Unreal Engine 3 game file • Starcraft saved game • S.T.A.L.K.E.R. game file • Dragon Age Origins game

Page 6: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

The malware sends the victim’s information to the control server:

It also stores the information of the encrypted file in HTML format for later use.

Network Activity We have seen the following network activity for this ransomware:

Page 7: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Attackers are also offering free decryption for some of the files to make victims believe that decryption is working, but it is a fake offer:

The mode of payment for getting the decryption key is via PayPal or bitcoin.

Page 8: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

This page clearly shows the intention of the attacker, because the payment from bitcoin (BTC) is 1.5 BTC (about 415 USD) or 1000 USD if the victim pays via PayPal. The attacker wants the victim to use BTC as the payment method because BTC is untraceable, which is the reason BTC is a cheaper payment mode than PayPal. Newer Variant of TeslaCrypt During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Nemucod. Nemucod is a malicious JavaScript usually arrives as a .zip attachment and tries to download other malware from the Internet. Nemucod is known to download threats such as Fareit, CryptoWall and a few other threats. However, we have observed that Nemucod is now downloading new variants of TeslaCrypt, a file-encrypting ransomware discovered in early 2015. The new variant is TeslaCrypt version 2.2.0. This version of TeslaCrypt encrypts the user’s files and appends the file names with a .VVV extension. The file extension changes regularly. In the previous version of Teslacrypt, a file extension of .CCC was being used. It encrypts the user’s files using RSA-4096. The malware also drops two files on the victim’s machine – a plain-text file and an HTML file that contain instructions on how to pay the ransom and receive a decryption key. The ransom message instructs the victim to install the anonymous Tor web browser and visit a Tor website for further instructions. Upon execution, it drops and executes a copy in the %AppData% directory and deletes itself. To ensure only one instance is running, it creates a mutex as "2134-1234-1324-2134-1324-2134".

Page 9: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Like the old TeslaCrypt variants, the new one also removes the volume shadow copies from the target's system thereby restraining the user from restoring the encrypted files. Shadow Copy is a technology included in Microsoft Windows which facilitates the user to take backup copies (snapshots) of computer files or volumes. To delete the shadow volume copies, TeslaCrypt uses the vssadmin.exe Delete Shadows /All /Quiet command. This ransom uses the vssadmin.exe utility and will quietly delete all the Shadow Volume Copies on the computer.

It then changes Boot Configuration Data (BCD) by using its command-line tool (bcdedit.exe) to disable some features so the user will have a hard time restoring or recovering the encrypted files. BCD is a firmware-independent database for boot-time configuration data. It performs the following:

• disables Emergency Management Services (EMS) • disables the Edit and Advanced Boot options at startup • disables Windows Startup Repair and Error Recovery

It sets the "EnableLinkedConnections" registry to force Windows to make the network drives available to both the standard and administrator accounts automatically. This way, this ransom will be able to search and encrypt files on network drives and shares without any issues.

The remote server and configuration details are all encrypted in its body. The ransomware decrypts them first before attempting to connect to them. The following are the decrypted remote URLs found on the sample we analyzed:

• http://atendercrumb.com/wp-content/plugins/theme-check/misc.php • http://aumentopenis.org/wp-content/plugins/theme-check/misc.php • http://apiercephoto.com/wp-content/plugins/theme-check/misc.php • http://austinberean.com/wp-content/plugins/theme-check/misc.php • http://attlecostumiers.com/wp-content/plugins/theme-check/misc.php • http://athomegirl.com/wp-content/plugins/theme-check/misc.php

Page 10: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

It also terminates the processes containing the following strings:

• “askmg”: task manager process, taskmgr.ex. • “rocex”: process explorer, processxp.exe. • “egedit”: registry editor, regedit.exe. • “sconfi”: system configuration, msconfig.exe. • “cmd”: command-line tool, cmd.exe.

Page 11: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

TeslaCrypt tries to encrypt files with the following extensions:

It then calls GetLogicalDriveStringsW API and lists all available drives in the system. It searches for the target files to encrypt in all fixed, network, and removable drives but avoids the following:

• files from %Windows%, %ProgramFiles% and %AllUsers% directory • files containing strings like "recove" and ".vvv". This is to avoid encrypting the "HowTo_Restore" instruction

files and those already encrypted. The malware also creates an autostart registry entry to ensure its copy will be executed upon rebooting.

Page 12: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Finally, it creates three “Howto_Restore” encrypted files in the %Desktop% directory and pops them on the victim’s screen:

• Howto_Restore_FILES.TXT

• Howto_Restore_FILES.HTM

Page 13: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

• Howto_Restore_FILES.BMP

However, paying ransom to get the files back is not advisable, and users are requested to keep their AVs updated.

Indicators of Compromise (IOC)

The following indicators can be used to identify TeslaCrypt infected machines in an automated way:

• Files Dropped in Administrator Application Data Folder:o Creates C:\Users\Administrator\AppData\Roaming\<(7-11)random_letters>.exeo C:\Users\ Administrator\AppData\Roaming\key.dato C:\Users\ Administrator\AppData\Roaming\log.html

• Run Key in the Registry:

o HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^ svcav_module^^< random7_letters >.exe [win 7]o HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^ crypto13 ^^< random7_letters >.exe [win 7]o HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^ Acrndtd ^^<(7-11) random_letters >.exe [win 7]o HKLM\Software\Microsoft\Windows\CurrentVersion\Run@^ svcav_module^^< random7_letters >.exe [win XP]o HKLM\Software\Microsoft\Windows\CurrentVersion\Run@^ crypto13 ^^< random7_letters >.exe [win XP]

Restart Mechanism The following registry entry would enable the Ransomware to execute every time when Windows starts:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^svcav_module^^< random7_letters >.exe [win7]• HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^ crypto13 ^^< random7_letters >.exe [win 7]• HKCU\Software\Microsoft\Windows\CurrentVersion\Run@^ Acrndtd ^^<(7-11) random_letters >.exe[win 7]• HKLM\Software\Microsoft\Windows\CurrentVersion\Run@^svcav_module^^< random7_letters >.exe [win xp]• HKLM\Software\Microsoft\Windows\CurrentVersion\Run@^ crypto13 ^^< random7_letters >.exe [win XP]

Remediation

The detection for this malware family is added to the database and would be available from DAT 8031. A Full Scan with updated DATS can remove the infection from the machine. McAfee Labs is actively detecting these variants as Ransom-Tescrypt!<partial hash>.

Page 14: McAfee Labs Threat Advisory · 2019. 9. 18. · McAfee Labs Threat Advisory TeslaCrypt Ransomware July 8, 2016 McAfee Labs periodically publishes Threat Advisories to provide customers

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html

This Threat Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice.

Copyright 2014 McAfee, Inc. All rights reserved.


Recommended