The new cryptographer CryptoBit is distributed through exploit kits that affect the browser.

A few days ago, the PandaLabs anti-virus laboratory of Panda Security discovered a new sample of the encryption tool . This is a new sample of CryptoBit , with some unique features.

If we compare it with other well-known samples of cryptographers, then we can say that CryptoBit is the only copy of its kind. It differs from other cryptographers for many reasons, but one of the main features is the emerging message that instructs the victim about saving your files. In this article we will show its other additional features.
')

ANALYZABLE SAMPLE

This report is based on an analysis of the following sample:
a67855dbd18652e99f13d29045b09391382bb8c817cda1e498cd01eb4a7bdf2c (sha256)

This sample is protected by a “packer” - a trojan that masks another type of malware. After its “unpacking”, we can notice that in addition to the last compilation date (April 5, 2016 at 12:20:55 PM) there is a complete absence of string variables - proof that the author CryptoBit by any means wished to complicate code analysis.

SPREAD

After analyzing the data provided by Panda Security’s “Collective Intelligence Systems”, you can determine how CryptoBit is distributed when “exploit kits” are used that affect various web browsers.

BEHAVIOR

After analyzing the behavior of the sample, we were able to more accurately determine the main way CryptoBit works:



The first thing CryptoBit does is check the configured keyboard languages. If the keyboard is configured to use one of the specific language codes (0x1a7, 0x419 - Russian, or 0x43f - Kazakh), then the program does not finish encrypting files.

Making sure that the keyboard languages ​​are not on their blacklist, CryptoBit addresses all local drives, network folders, and removable devices (USB), searching for files that contain any of the attacked extensions. What is the purpose? Encrypt the entire contents of the file in order to request its rescue later.

In particular, CryptoBit is interested in the following extensions:
ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf qsd qbo

As soon as the file encryption process begins, the user can see a window on his computer similar to this:



In this message, we see some points that can be used to classify this new type of cryptographer:

The ID is shown as "58903347"
This value for the analyzed sample is always the same. It does not matter if you rerun this encryptor on the same machine or you will run it on other devices. This suggests that we are associated with an encryption ID, and not a specific user (or computer).

The amount of bitcoins you have to pay
In general, the required number of bitcoins is fixed. In this particular case, we see that the author (or authors) are asking for a daily increase in the ransom, which looks a bit aggressive.

How to contact them
The user cannot contact the hacker through a web server accessible via a specific link, and “they” do not ask the user for anything special, at least for the time being.

They ask the user to contact them by email (for example, torrenttracker@india.com). If the user does not receive a response, he can contact hackers using an application called “Bitmessage”, which can be downloaded on “GitHub”.

In addition, if this message is not enough to convince the user that his files are encrypted, then each time he opens a folder with one of the files that currently cannot be decrypted, the user also sees in this folder two more specially created file:

OKSOWATHAPPENDTOYOURFILES.TXT

If we look at this file, we can find the same message (in this case in text format), which is shown to the user after his files have been encrypted.

sekretzbel0ngt0us.KEY
In this second file, we see a hexadecimal sequence of length 1024, which after decoding will correspond to a binary sequence of 512 bytes (or 4096 bits).

Below you will see the value of a file called “sekretzbel0ngt0us.KEY”, where encryption was used to encrypt other files.

Another CryptoBit action that is visible to the user is an HTTP request of this kind:
videodrome69.net/knock.php?id=58903347

Note: the requested script "knock.php" does not exist

ENCRYPTION OF FILES

Encrypting files to encrypt other files, each time CryptoBit starts, it launches the AES algorithm (a random key of 32 bytes length or 256 bits), as a result of which it is almost impossible to decrypt files until this information is known.

In order not to lose this key, which allows you to decrypt files after paying the ransom, the author of this encryptor stores the generated AES-key in encrypted form using the RSA algorithm.

The selected public key has a length of 4096 bits, and we found it “hard-coded” inside the analyzed sample.

After encrypting an AES key using RSA, it will be stored in a file called “sekretzbel0ngt0us.KEY”, and will be understood only if there is a corresponding RSA “private key” (which theoretically can only be provided by the cipher author).

In this section, we noticed a specific feature: the lack of access to the built-in libraries that encrypt files using the RSA algorithm. CryptoBit uses a set of statically compiled procedures that allow you to work with "large numbers", which allows you to play the RSA encryption algorithm.

CONCLUSION

As we can see, this cryptographer does not go out of fashion. Every day we discover new patterns that still give us surprises. In this particular case, we were not surprised by the use of “serious cryptography” (AES + RSA), which is observed more and more often, but we paid attention to the ambitiousness of this threat and appreciated its good design and interesting ideas.

Original article: Be careful with CryptoBit, the latest threat detected