Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tox affiliate ransomware spotted in SPAM emails while dev offers chat support


  • Please log in to reply
36 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:16 AM

Posted 29 May 2015 - 03:57 PM

On May 23rd, McAfee post analysis about a new ransomware called Tox that anyone could create by simply going to a special TOR site. The site developer would then get 30% of ransom payments and the affiliate would get 70%. With this affiliate scheme, the site would be responsible for creating the malware and handling the ransom payments, but the affiliate would be responsible for distributing it.

toxicola-site.jpg
Tox Affiliate Site


Yesterday, we received a report of this ransomware actively being distributed as attachments in SPAM emails. This attachment pretends to be a Word document by using a Word icon but is actually a file with the .scr extension. Once executed, the Tox ransomware will download TOR and other files to C:\Users\<user>\Appdata\Roaming\. It will then encrypt all files with AES encryption that match the following extensions:

.txt, .odt, .ods, .odp, .odm, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .indd, .cdr, .jpg, .jpe, .jpeg, .dng, .3fr, .arw, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .crt, .pem, .pfx, .p12, .p7b, .p7c, .pdf, .odc, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .png, .xml, .sql, .php, .asp, .aspx, .js, .css, .cs, .cpp, .hpp, .java, .class, .py, .pl, .veg, .aep, .aepx, .blend, .prproj, .cad, .tif, .sitx, .sit, .rmvb, .bmp, .pps, .pub, .qbb, .swf, .asf, .dss, .qxd, .3gp, .cdl, .mswmm, .ss, .eml, .csv
Any files that are encrypted will have the .toxcrypt extension appended to the filename. Tox will then display a HTML ransom note in the default web browser explaining how to make payment via your unique bitcoin address. The actual ransom amount will be different per affiliate as it is decided when they generate their version of the ransomware.

tox.html.jpg
Ransom Note


Thankfully, Tox does not delete the Shadow Volume Copies so it is still possible to restore your files using a tool like Shadow Explorer. Information on how to restore your files via Shadow Explorer can be found here:

How to restore files encrypted by Tox using Shadow Volume Copies


After testing the sample, I decided to login and take a look at the affiliate site. It is well made and the process for creating your own ransomware is really easy. Hell, they even have their own Twitter account. What I found more interesting, was the creator of the site chatting with his new affiliates. Below are some snippets of interesting conversation from the Tox chat channel.



tox-chat.jpg
Some affiliates bragging about the amount of ransom infections they currently have.



ransom-totals.jpg
Here the dev, Tox, reveals the total amount of current Tox infections.



affiliate-bragging-about-stealing-email-
Someone brags about stealing their employer's (an investment company) email list.



almost-64-bit-encryption.jpg
An affiliate asking questions about the type of encryption the ransomware uses.



Without a doubt this type of site and affiliate system is a disturbing trend as it allows anyone to generate an efficient and uncrackable ransomware. The only thing that is beneficial is that since distribution is handled by the affiliate, there will be plenty of amateurs and script kiddies being busted.


Files installed by Tox:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\tox.html
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Tox.scr
%AppData%\tor\
%AppData%\tor\cached-certs
%AppData%\tor\cached-microdesc-consensus
%AppData%\tor\cached-microdescs.new
%AppData%\tor\lock
%AppData%\tor\state
%AppData%\tox.log
%AppData%\tox_tor\
%AppData%\tox_tor\Data\
%AppData%\tox_tor\Data\Tor\
%AppData%\tox_tor\Data\Tor\geoip
%AppData%\tox_tor\Data\Tor\geoip6
%AppData%\tox_tor\Tor\
%AppData%\tox_tor\Tor\libeay32.dll
%AppData%\tox_tor\Tor\libevent-2-0-5.dll
%AppData%\tox_tor\Tor\libevent_core-2-0-5.dll
%AppData%\tox_tor\Tor\libevent_extra-2-0-5.dll
%AppData%\tox_tor\Tor\libgcc_s_sjlj-1.dll
%AppData%\tox_tor\Tor\libssp-0.dll
%AppData%\tox_tor\Tor\ssleay32.dll
%AppData%\tox_tor\Tor\tor.exe
%AppData%\tox_tor\Tor\zlib1.dll
%AppData%\tox_tor\tor.zip


BC AdBot (Login to Remove)

 


#2 Kirbyofdeath

Kirbyofdeath

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:07:16 AM

Posted 29 May 2015 - 04:23 PM

Now this is interesting.



#3 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 15,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:16 AM

Posted 29 May 2015 - 04:24 PM

The era of Ransomware/Cryptoware becomes worst by the minute here. Everyday the threat grows and it cannot be ignored. Everyone should now be running software that can block such threats (CryptoMonitor, CryptoPrevent, HitmanPro.Alert, Antivirus with behavior blocker (ESET, Emsisoft, Kaspersky, etc.)) and have a good back-up solution.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 29 May 2015 - 06:49 PM

As the malware writers and affiliates would say...it's only business.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#5 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:10:46 PM

Posted 29 May 2015 - 08:37 PM

ah yes but even so they allowing their own creations into the wrong hands. and as well I don't even think ill be going to that tor website anyway...


Robert James Crawley Klopp


#6 PuReinSAniTY

PuReinSAniTY

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:everywhere
  • Local time:09:46 PM

Posted 30 May 2015 - 01:20 AM

I cannot believe this actually... as if ransomware wasn't already bad, now ordinary people with hardly any computing skills can setup something like this...


Guy broke into my apartment last week, didn't take the TV but he took the TV remote, now everytime he drives past he changes the channel...sick bastard


#7 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:10:46 PM

Posted 30 May 2015 - 02:25 AM

This is bad, really, really bad!


Robert James Crawley Klopp


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,375 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:16 PM

Posted 30 May 2015 - 03:40 AM

Their first tweet on the Twitter account was "Thanks for the advertising @McAfee!"

We have Security as a Service, now there is Malware as a Service as well...

#9 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 15,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:16 AM

Posted 30 May 2015 - 08:48 AM

It's not really Malware as a Service to be honest :P The "as a Service" is used for Cloud products, features, etc. and I don't think that Tox is "cloud-based".

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#10 Cauthon

Cauthon

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 30 May 2015 - 01:23 PM

We have always known that we should be fanatical about backups. We don't need ransomware, the hard drive can crash anytime. It's like those ads on tv where somebody gets a note saying your heart attack will be tomorrow; heart attacks don't send warnings, and neither to equipment problems. A few years ago I shut my car off to pump gas and the starter never worked again. My employer just bought me an external hard drive for lots of backup capacity - now I just have to develop a strategic plan for what to do:-)



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 30 May 2015 - 04:28 PM

Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#12 PuReinSAniTY

PuReinSAniTY

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:everywhere
  • Local time:09:46 PM

Posted 30 May 2015 - 06:44 PM

It's true, the only full way to remove malware is to back up and reformat... some people dont understand how important it is to backup and think that a scan of combofix will fix the issue, truth is it won't.


Guy broke into my apartment last week, didn't take the TV but he took the TV remote, now everytime he drives past he changes the channel...sick bastard


#13 NickAu

NickAu

    Bleepin' Defenestraphobic


  • BC Advisor
  • 6,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:16 PM

Posted 31 May 2015 - 01:21 AM

 

We have Security as a Service, now there is Malware as a Service as well...

It was only a matter of time, This guy saw there was a demand so he supplies, and with live tech support, Now if only Micro.... NVM. The scary thing is others will now do the same thing, Because there is money in it, and the average PC user will suffer, and the script kiddies? well they are just cannon fodder to these guys.

 

Now my rant.

 

I think it's about time for an education campaign by the media similar to the road safety and anti tobacco messages we see on TV and hear on the radio all the time. More and more ordinary people use PC's and the internet every day and have no idea of the nasties out there, let alone any sort of idea about PC security, Sites like this can only do so much, I think some thing needs to be done to educate the people at a national level because as it stands at the moment the criminals are winning.

 

End Rant.

 

When was the last time you saw a " Stop downloading that software or clicking on that .doc may infect or encrypt your PC" add on TV?

 

Is that still part of my rant?


Edited by NickAu, 31 May 2015 - 01:29 AM.


#14 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:16 AM

Posted 31 May 2015 - 02:49 AM

Aura -- the hosting of malicious script(s)/librarie(s) means that--well--we lose.  We are playing a catch-up game.  The fact of the matter is that we are spectators; we are witnessses of the recent growth of ransomware distribution, and we must do what we can to mitigate the effectiveness of ransomware infections, and/or the growth of ransomware infections discovered in-the-wild


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 31 May 2015 - 07:35 AM

We have always been playing a catch-up game.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users