Analysis of the modifications of the extortioner TorrentLocker

In December 2014, ESET specialists published a white paper with information about a family of crypt-takers called TorrentLocker, copies of which were distributed using phishing email messages on behalf of, allegedly, the local post office, energy or telecommunications companies. The document exhaustively described the distribution scheme of this type of malware, its main functionality, as well as the network protocol used. We also pointed out some similarities between the TorrentLocker code and the Hesperbot banking trojan. Over the past few months, new samples of the TorrentLocker family were at our disposal, so that we were able to track the current status of the functions and code of this malicious program.

In 2014, the authors of TorrentLocker used the name of another well-known extortionist - CryptoLocker. The name CryptoLocker was placed on a ransom demand web page. For reasons unknown to us, a year later, the authors replaced the letters “o” in the title with zeros, resulting in the word “Crypt0l0cker”. In the process of researching the new samples of the cryptographer, we did not notice any significant differences in the code itself, the method of their distribution, and the infrastructure of the managers of C & C servers. We believe that the same cybercriminal grouping is behind the proliferation of new samples. To avoid confusion, we decided to leave the name TorrentLocker instead of the one used by the attackers Crypt0l0cker.

Distribution scheme

The current method of distributing encryptor samples is very similar to the one used in 2014. Phishing emails included a link to a web page with a bill payment “document” or tracking package code. The link points to the TorrentLocker dropper, which, after being uploaded to the system by the user, can be launched for execution. As soon as this has happened, the extortionist begins to interact with his manager of the C & C server, and also begins the process of encrypting user files. Below is a list of organizations that hackers disguised their phishing messages from April to August 2016.

• A1 Telekom (Austria)
• AGL (Australia)
• Australia Post (Australia)
• Australian Federal Police (Australia)
• British Gas (UK)
• Endesa (Spain)
• Enel (Italy)
• Österreichische Post (Austria)
• New Zealand Post (New Zealand)
• PGE Polska (Poland)
• PostNord (Sweden)
• PostNL (Holland)
• Telia (Sweden)
• Turkcell (Turkey)
• Verbund (Austria)
• Vodafone Italia (Italy)

As we pointed out in the 2014 document, those URLs that are used to distribute malware can still be accessible only from the country to which the particular malicious campaign is targeted. Thus, operators complicate the work of antivirus analysts or automatic URL data collection tools outside this country.
')

Fig. 1. An example of a phishing message for users in Austria disguised as the Österreichische Post.


Fig. 2. The download page of the malware file in the case of users in Austria, using the disguise as A1 Telekom.


Fig. 3. Encryption file download page for users in Austria, using the AFP mail service masking.


Fig. 4. Encryption file download page for Austrian users; Verbund service masking is used.

Despite the fact that, in general, the above scheme coincides with the previous one, there are some changes in it. In the new version, the malware operators added several additional levels of redirection in the chain of links, which leads to downloading the TorrentLocker file. A phishing link located in the body of the e-mail leads to a PHP script hosted on a compromised server. The script code checks the geolocation of the visitor, i.e., checks its location in a particular country to which the malicious campaign is directed. If this condition is met, the web page visitor is redirected to the next stage of downloading the encoder file. Otherwise, the potential victim is redirected to the Google website. The malware downloadable by the victim actually contains an obfuscated JavaScript file that loads and launches the TorrentLocker PE file for execution. ReaQta has published, in two parts , a study of this malicious scheme. Below is an example of a chain of redirects that lead to the launch of the ransomware system and file encryption.

1. The phishing email contains a link to the “tracking code listing”. The link looks like hxxp: //diniyat.com/jKu8xT.php? Id=victim@domain.nl .
2. Next, the user is redirected to the following link hxxp: //azrs.postnl-tracking24.org/yr7mb.php? Id = dmljdGltQGRvbWFpbi5ubA == .
3. The user clicks on the following link to download the file to the computer hxxp: //azrs.postnl-tracking24.org/file/PostNL-pakket.zip .
4. The user opens the archive and double-clicks a file called PostNL-pakket.js .
5. The JavaScript downloader initiates the download and launch of the TorrentLocker executable file on the victim’s system. Download from URL hxxp: //sudoimpex.ru/administrator/file.exe .

The malicious program still has the ability to extract address book data and SMTP settings to ensure its further distribution.

The authors added a special password to prevent the listing of web pages with information on redemption

In our analysis of 2014, it was indicated that the attackers used the method of generating so-called “user codes” on the C & C server side to identify victims. Such codes were quite predictable, since they were generated on a consistent basis. This weak spot allowed us to access each web page with a ransom demand and collect statistics on how many users paid the ransom to attackers, from which countries, etc. By the release of our past research, TorrentLocker, its operators have already added a special 4- x digit password to access the redemption web page. According to Trend Micro, the user pass parameter was first observed on December 9, 2014, that is, a week before we released our report on TorrentLocker. Thus, the operators may have received information about the mentioned weak point in the implementation of their algorithm not from our report, but by analyzing their own sources. After they noticed that antivirus researchers were able to access all of the extortioner's web pages, they added a special password field to prevent all such web pages from being listed. The algorithm for generating a "user code" is still predictable in current campaigns, however, the value of the "user password" field is unpredictable. Most likely, these values ​​are randomly generated on the C & C server side.


Fig. 5. URL format in 2014


Figure 6. The format of the URL with the "user password".

Obfuscation

For our analysis, we selected three samples of TorrentLocker, which were packed using various cryptors. It did not take us long to parse this code. As we observed in 2014, TorrentLocker samples contain several levels of code decryption, and the payload code itself is embedded in the trusted explorer.exe process. The Core Encryption component still exports functions called _local_entry and _remote_entry . However, this scheme was changed in the sample of the malware used in the campaign called main-13 , when the cryptographer did not implement the implementation of his code in explorer.exe .

After its unpacking, the core extortioner core module uses additional obfuscation mechanisms in order to complicate its analysis for analysts. We will describe two ways of obfuscating the code that were missing in the 2014 samples. First, the lines inside the file are encrypted using a hard-wired key. The key is identical for different TorrentLocker samples, except that its length differs in different cases. Encrypted strings can be restored to their original appearance using a simple XOR operation and the said key. We published a special script on Github to decrypt the lines from the unpacked sample of the ransomware.

Malicious code dynamically imports important Windows API functions using 32-bit hashes of their names. Such an operation has been repeatedly used by malicious programs and it is to list the names of the exported functions of a particular library with the hash count of each of the names. The function that is responsible for the implementation of this operation, we call resolve_and_call_function . It takes as input a different number of parameters, among which the first three are constant. The first argument is the index in the array of library names, the second parameter indicates the hash of the function name, and the third is the number of arguments passed to the API function. The remaining parameters are the values ​​that will be passed to the API function when it is called. For example, a call to the InternetOpenW function might look like this.

resolve_and_call_function( 23, // wininet.dll 0xF190D96, // hash("InternetOpenW") 5, // nargs 0, 0, 0, 0, 0x8404C700 // args ); // calls InternetOpenW(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, INTERNET_FLAG_PRAGMA_NOCACHE|INTERNET_FLAG_NO_UI|INTERNET_FLAG_HYPERLINK|\ INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS|INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP|\ INTERNET_FLAG_NO_AUTH|INTERNET_FLAG_NO_CACHE_WRITE|INTERNET_FLAG_RELOAD) 

Interaction with the C & C Server Manager

One of the most notable changes in the new version of TorrentLocker was the change in the extortioner's interaction method in the C & C server. As in previous versions, new malware samples try to interact with the C & C server through a hard-coded URL in the body of the executable file. However, arbitrarily generating subdomain names is now used, since hard-wired domains are usually quickly dismantled.

It is interesting to note that in case of unsuccessful connection to the C & C server, the extortioner tries to use the service of the anonymous Tor network. The compact implementation of the Tor client is statically linked to the executable code of the extortionist. Thus, the malware code does not need to rely on third-party applications to work with Tor. Interaction with the C & C server manager via the Tor anonymous service is becoming increasingly popular with ransomware authors. The use of this method by attackers significantly complicates the detection of the physical location of the C & C server by antivirus researchers.


Fig. 7. Paths to source files in the ransomware file, which indicate that the Tor component is using the LibreSSL library.

Below is a list of domains that were used in three different samples analyzed by us.



The following onion domains of the Tor anonymous network were found in the samples we analyzed in the following order.

• mz7oyb3v32vshcvk.onion
• h453liaclp7vmxnb.onion
• vrympoqs5ra34nfo.onion

We did not detect any significant changes in the implementation of the communication protocol, except for adding a new field of the public IP address of the victim when using the Tor service. A new field was added to the protocol of the extortioner's interaction with the C & C server in order for C & C itself to check the IP address of the source of the request, which is hidden when using Tor. TorrentLocker uses the IP address for geolocation and generating the corresponding web page with the requirement of redemption in the appropriate language, as well as displaying the amount of the redemption in the currency corresponding to the region

If previous versions of TorrentLocker relied only on secure HTTPS connections to encrypt the data transferred between the extortioner and his C & C server, then the new version adds an additional level of encryption. To do this, use the symmetric AES-256-CBC algorithm, which is used prior to the formation of a POST request of the HTTP protocol, which, in turn, is encrypted either using SSL using HTTPS or using Tor. The encryption key is hardwired into the encoder's executable file, it also cannot be changed promptly, because in case of a key change, it changes on the C & C server, other TorrentLocker samples will not work properly with C & C. The AES keys we see are listed at the end.

The behavior of the extortionist, depending on the location of the victim

A well-known function of the extortionist TorrentLocker is the localization of the web pages of downloading a malicious program, the requirements of the ransom and its payment. The attackers provide their victims with information in their own language and currency relevant to them. For our analysis, we tried to collect information on which countries the attackers performed localization for.

To collect such information, we had to resort to the method of manually specifying an external IP address when using the anonymous Tor network. We described this parameter above; the extortioner, when communicating with his C & C server via Tor, sets the victim's IP address as an argument so that he can find the correct localization of the web page with a ransom requirement for the user. We managed to pick up the IP address for each country and send a message to the C & C server about the compromise of the victim, indicating this address as a parameter. In doing so, we were able to get appropriate web pages for different campaigns with a demand for redemption and instructions for its payment.

The default web page contains English text and specifies the dollar as the currency to pay for the ransom. We found 22 countries for which attackers localized the mentioned web pages. Below is a list of these countries.

• Australia
• Austria
• Belgium
• Czech
• Denmark
• France
• Germany
• Italy
• Japan
• Martinique
• Holland
• Norway
• Poland
• Portugal
• Korea
• Spain
• Sweden
• Switzerland
• Taiwan
• Thailand
• Turkey
• Great Britain

We’ve seen phishing campaigns spreading TorrentLocker for each of the countries in bold. It is not entirely clear whether other campaigns used to distribute TorrentLocker were used in past campaigns and whether they will be used in the future.

We also noticed that the extortioner refuses to encrypt their victims' files for several countries. This behavior of the malicious program has already been noted by us, but this time we managed to get a list of such countries.

• China
• Russia
• Ukraine
• USA

Cryptography

Despite the fact that the general cryptographic scheme of the extortioner has not undergone significant changes, some aspects of its implementation have been changed. In 2014, TorrentLocker used the LibTomCrypt cryptographic library. However, fresh cryptographer samples use Microsoft CryptoAPI features (campaign samples with identifiers "main-9" and "main-12"). It is also interesting that the authors of the malicious program returned to using the LibTomCrypt library in samples dated August 10, 2016 (campaign with the identifier “main-13”). We do not quite understand why the ransomware authors switched to using the previous library. Regardless of the library used, the initialization vector (IV) always corresponds to 32-bytes with zero content.

As mentioned earlier, the data of the interaction of the extortioner with the C & C server is encrypted. However, encryption also applies to other TorrentLocker files, including the configuration file. For this, a symmetric AES-256 encryption algorithm is used with a key that is hard-wired into the body of a malicious program, which is different in different campaigns. TorrentLocker file names are randomly generated.


Fig. 8. TorrentLocker configuration directory.

Using the AES-256 CBC algorithm, the extortionist encrypts files on the victim's computer, its configuration files, and data for the C & C server. To generate a 32-byte encryption key, use the CryptGenRandom API function. Each of these bytes is then added to the low byte of the value of the GetTickCount function.


Fig. 9. The flow of code when generating the encryption key.

Files on the computer are encrypted with the same identical key. This key is then encrypted with a public RSA key, hard-wired in the body of the extortionist, and sent to the managing C & C server. The same public key was found in all other TorrentLocker samples.

The cipher leaves the system operational and does not encrypt Windows system files. Previous modifications of TorrentLocker contained a list of extensions of those files that should be encrypted, for example, ".doc", ".docx", ".xls". Newer versions of the ransomware, by contrast, contain a list of exceptions for files that cannot be encrypted. This list includes various executable files with the extensions “.exe”, “.dll”, “.sys”. A complete list of such files is given below.

Another small change concerns the size of the encrypted file data. In versions of 2014, the extortionist encrypted the first 2MB files. Sophos reported that the size of the encrypted part in the new versions has decreased to the first 1MB.

Conclusion

The extortioner TorrentLocker is still quite active and is in the field of view of many researchers, since attackers use targeted phishing to spread this malware.

Indicators of compromise (IoC) and additional information

File 1

SHA-1: 2BF11BD7C946F36A690BD2DDB6623BF478E8F37B
Compilation date: Tue May 17 07:13:48 2016
Campaign ID: main-9
ESET detection name: Win32 / Filecoder.TorrentLocker.C

File 2

SHA-1: BFF8090E21C020E989E4C36EBFE50B6C33DDC733
Compilation Date: Tue Oct 07 00:40:23 2014
Campaign ID: main-12
ESET detection name: Win32 / Injector.DCIZ

File 3

SHA-1: EB7BF6B79CCA5FD6B73F32049560AE57C9988A70
Compilation Date: Wed Aug 10 08:55:29 2016
Campaign ID: main-13
ESET detection name: Win32 / Filecoder.TorrentLocker.A

AES encryption keys

The initialization vector (IV) is always zero.

SHA-1 sample: 2BF11BD7C946F36A690BD2DDB6623BF478E8F37B
C & C data encryption key:
4D78C23939EBDE78B5BAFCAB47D199169AF6821F3D276B5324DF9D79ECC7BAD4
Configuration File Encryption Key:
BA14569ABB28C1B53ED02F2255EC0EBC9C1AC04F8F044062FBDF08B5ACB65C54

SHA-1 sample: BFF8090E21C020E989E4C36EBFE50B6C33DDC733
C & C data encryption key:
4D78C23939EBDE78B5BAFCAB47D199169AF6821F3D276B5324DF9D79ECC7BAD4
Configuration File Encryption Key:
34A43BC9495064A464BCCF82B43D8F03273528FE1A497E55B23EFA7D8D3B8DAF

SHA-1 Sample: EB7BF6B79CCA5FD6B73F32049560AE57C9988A70
C & C data encryption key:
BEABC25657C4D67F84D0E517A654F3663EA2F79793221AA9247486A7584E6F79
Configuration File Encryption Key:
3664D810C09ED7B2A0EC9CB29426C92D7EC3B9592A7A86AE7E51D1895778B94C

Files with the following extensions are not encrypted.

. exe ,. dll, .sys, .vdx, .vxd, .com, .msi, .scr, .cpl, .bat, .cmd, .lnk, .url, .log, .log2, .tmp,. ###,. ini, .chm, .manifest, .inf, .html, .txt, .bmp, .ttf, .png, .ico, .gif, .mp3, .wav, .avi, .theme, .evtx, .folder, .kdmp.

The following public key, RSA-4096, is used to encrypt the AES key in main-9 campaigns - main-13.

----- BEGIN PUBLIC KEY -----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0LrTxrnan3wlqkeCrO8j
L / BlcjS3yOh / YZ9vH5uRw4RvHY86JpsKaJLQ1WajkY9bgO6w9an9l9dtJch70joD
o + aQfzpQIb1HUwrOmrxICO18zyhvkH + vXBSuDmQBFvuPMu8g1R4cpo9TzR0XCSEn
BjDBhNirSBRmfSjhWMhLMcrrAUJ986 + ucLdjQtBrDyTIlYZ8 / H83T + rbkBE2sLbY
D7HSBtosPArg18hC6fgDJ2V4tADmLx / wk3k8JKeQ0OXbBqVbzWbYzODIJ / VibKNg
mE278RS9KR3f + 0P38 / ztf81SH4ZK5kjqN6qLL0AyUfQpm7bOpQHSpwOdhA0i / 8M5
lMzZj1wdfp3UDoPpAyH4fc6mpgt1OjN5Rj5PjQj / bEPM / Rz67LCdFY3LbI5rCyxm
9V4UVTOJdAavByDUa8PKEY ++ XMKjEjTskDD4Io3tD + 54rmr4 / WPoRPlrQ + Bj4o7I
DSvrMGsnEudhcO7qMlQ5JszHDejk5QF8glsiWsCHVxmZqsHFNYxBKGgtvUxvokgv
+ yxo6twfC / hC1wJHhWofINDABxIYqgVOg4GJEs0gA1v8FByNg6pss2W / oNcYDuiZ
7R / 9vHAUHzMBVNaXq9Rz5h61pLFjEpIrfzO8ctAq3 + wDdltyTbz40D7G4 + zPHV2t
PW9R7I4fmgDQMM4SimN8NcUCAwEAAQ ==
----- END PUBLIC KEY -----