Tales of Ransomwhere

Last week, the PandaLabs anti-virus laboratory received a question about a family of encryptors using PowerShell , a Microsoft solution that is included in Windows 10 and which has been used by cyber-criminals for some time.

Such questions are interesting because PandaLabs is focused on preventing such attacks by encrypters. But we must admit that we do not share all our “findings” with the community. We have now decided to do this on an ongoing basis as part of the Ransomwhere Fairy Tales series.
')

The cipher enters a phishing email with a Word document attached.

That cryptographer, whom we were asked, sounds like old news to us: indeed, our colleagues from Carbon Black wrote about this in March . The attack is simple and straightforward: the cryptographer arrives in a phishing email with a Word document attached. When you open it, a special macro in the document runs cmd.exe to launch PowerShell, download the script from the Internet, and then launch PowerShell again, using the downloaded script as “input” to perform the tasks of the crypter.

This Powerware , as it was named by Carbon Black, is another encryption among the thousands of others we know about. We blocked it even before we ourselves learned about this family of cryptographers, although for some security companies this particular family has become more of a problem than others. Why?

Some of the antiviruses are mostly based on signatures and at the same time their presence is stronger on the perimeter, and not on the end point. Therefore, blocking Word documents on the perimeter is not a good way out. After some users are infected, they can add signatures and protect others (for example, by blocking IP addresses from which the script is being downloaded), although the lack of executable malware downloaded from the Internet is a nightmare for them.

After all, cryptographers are a large-scale business for cyber criminals, and they spend a lot of resources on finding new ways to keep them unnoticed by all types of security solutions. Powerware is just one example. The overall behavior does not change, but always, almost every week, subtle changes are introduced. These changes can be applied both to the encrypter himself (as he performs his actions) and to the delivery method (using new exploits, modifying existing exploits, changing the ways of loading the exploits, etc.).

Another good example of the new delivery methods for cryptographers that we saw recently.
After applying the exploit in Internet Explorer, the CMD is launched using the “echo” function to create the script. Then, a series of Windows files are launched to perform all actions to avoid detecting suspicious behavior from security solutions. The script is run from the wscript side, and it downloads the dll, then it uses the CMD to run regsvr32, which will execute the dll (using rundll32). In most cases, that DLL is a cryptographer. Over 500 infection attempts using this new trick have been blocked.

We publish below all the MD5 checksums of these DLLs that were intercepted as part of 500 infection attempts:

00d3a3cb7d003af0f52931f192998508
09fc4f2a6c05b3ab376fb310687099ce
1c0157ee4b861fc5887066dfc73fc3d7
1cda5e5de6518f68bf98dfcca04d1349
1db843ac14739bc2a3c91f652299538c
2c5550778d44df9a888382f32c519fe9
2dcb1a7b095124fa73a1a4bb9c2d5cb6
2f2ca33e04b5ac622a223d63a97192d2
38fb46845c2c135e2ccb41a199adbc2a
3ac5e4ca28f8a29c3d3234a034478766
4cb6c65f56eb4f6ddaebb4efc17a2227
562bf2f632f2662d144aad4dafc8e316
63dafdf41b6ff02267b62678829a44bb
67661eb72256b8f36deac4d9c0937f81
6dbc10dfa1ce3fb2ba8815a6a2fa0688
70e3abaf6175c470b384e7fd66f4ce39
783997157aee40be5674486a90ce09f2
7981aab439e80b89a461d6bf67582401
821b409d6b6838d0e78158b1e57f8e8c
96371a3f192729fd099ff9ba61950d4b
9d3bf048edacf14548a9b899812a2e41
a04081186912355b61f79a35a8f14356
a1aa1180390c98ba8dd72fa87ba43fd4
a68723bcb192e96db984b7c9eba9e2c1
abb71d93b8e0ff93e3d14a1a7b90cfbf
b1ac0c1064d9ca0881fd82f8e50bd3cb
b34f75716613b5c498b818db4881360e
b6e3feed51b61d147b8679bbd19038f4
bbf33b3074c1f3cf43a24d053e071bc5
cba169ffd1b92331cf5b8592c8ebcd6a
d4fee4a9d046e13d15a7fc00eea78222
d634ca7c73614d17d8a56e484a09e3b5
de15828ccbb7d3c81b3d768db2dec419
df92499518c0594a0f59b07fc4da697e
dfd9ea98fb0e998ad5eb72a1a0fd2442
e5c5c1a0077a66315c3a6be79299d835

Posted by: Louis Corrons