Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoFortress Ransomware Support Topic - READ IF YOU WANT YOUR FILES BACK.html


  • Please log in to reply
38 replies to this topic

#1 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 07:53 PM

CryptoFortress

 

Updated: 3/5/2015 8:00am

 

 

A new ransomware variant has been discovered in-the-wild.  Kafeine posted about it after accidentally discovering it roughly 11 hours ago; a link to Kafeine's blog post regarding the CryptoFortress ransomware can be found below:

 

http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html

 

While originally believed to be extremely similar to the TorrentLocker ransomware variant, further analysis has determined that it likely has used source code for the ransom notes and other web pages from TorrentLocker, but is actually a unique, new variant of ransomware altogether.

 

TorrentLocker Ransom Note

2q8atj9.jpg

 

CryptoFortress Ransom Note

200qyc5.jpg

 

TorrentLocker Payment Page

x1yc0x.jpg

 

CryptoFortress Payment Page

2iuteds.jpg

 

Updated Information

 

Tor Gateways Used:

  • connect2tor.org

  • door2tor.org

  • onion.cab

  • onion.city

  • tor2web.org

Tor URLs Used:

  • <systemIdentifier>.onion

Referenced URLs:

  • torproject.org

  • deepdotweb.com/how-to-access-onion-sites/

Initial executable launches a bat file via Command Prompt:

cmd.exe cmd /c C:\<random>.bat

Creates the same mutex on all reviewed devices infected:

\Sessions\1\BaseNamedObjects\Catawba!

Some Evasion Functionality:

  • Checks for kernel debuggers

  • Checks the free space of the local hard drive

  • Checks if a debugger is running

  • Disables application error messages (SetErrorMode)

  • Extensive use of GetProcAddress

Process Tree:

  • <initial executable>.exe -> cmd.exe -> vssadmin.exe

  • VSSVC.exe

  • svchost.exe

Key Information:

 

CryptoFortress utilizes a 2048 bit RSA-AES key for encryption; this key is generated on the client-side and therefore is briefly stored on the infected device itself.  The ransomware takes the 2048 bit RSA key and XORs it with an embededd key, and appends 8 bytes of the key to the end of eaach file.  It's unknown why the malware author implemented the functionality of appending 8 bytes of the RSA key to the end of affected files.

 

Observed Network Behavior:

 

CryptoFortress has been observed to attempt to make network connections, but often fails at initiating external connections.  It has also been found to exhibit a large quantity of malicious SMB traffic.

 

Functionality:

 

CryptoFortress has been found to enumerate network shares, all logical drives, and also deletes Volume Shadow Copies (VSCs) to prevent the easy recovery of affected files.

 

Mechanism of Action

Launching of Payload File (PE)

 

Upon launching CryptoFortress' initial payload (PE) file, it will create a .bat file and write the following code to it:

vssadmin delete shadows /all /quiet del /f /q %0

It will then enumerate the file system for supported data files.  When a supported data file is found, CryptoFortress will create a copy of the file as the original file name and extension with .frtrss appended to the end.  It will then encrypt the data within this file and restore this file to the original name and extension.  I have not observed any explicit deletion of the original file at this time, but it likely securely deletes originals; if not, the renaming -> encryption -> restoration of the file probably occurs fast enough (<15s) to overwrite the MFT record of the original file.

 

Timestomping activity (the spoofing of file timestamps [$STANDARD_INFORMATION {$SIA} attribute]) has been observed, but does not appear to occur on every single file affected or directory encountered.

 

It has been observed to monitor the following registry key:

HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

It has been found to create the same mutex on each infected device:

\Sessions\1\BaseNamedObjects\Catawba!

cmd.exe (command-line terminal) process is launcehd by the initial executable, and is launched to execute the created bat file.  The command-line arguments passed to cmd.exe are:

cmd /c C:\<random>.bat

Once the bat file is launched, it will delete itself, and then query the following directories with the respective masks to ensure that the bat file has been deleted, and to find the vssadmin.exe utility:

C:\    with masks:    <random>.bat, vssadmin *, vssadmin, <random>.bat
C:\Windows\System32    with masks:    vssadmin *, vssadmin.COM, vssadmin.EXE

When discovered, the VSSVC.exe process is launched as a result of vssadmin.exe's launch.  As displayed previously in the bat file code, vssadmin.exe is called with the following command-line arguments:

vssadmin delete shadows /all /quiet

This command will delete all Volume Shadow Copies (VSCs), preventing the easy restoration of files; it does so in a fashion that is transparent to the user.

 

When a file is encrypted within an enumerated directory, CryptoFortress will drop a ransom note in that directory, named:

READ IF YOU WANT YOUR FILES BACK.html

The interesting thing about CryptoFortress is that it doesn't appear to keep records of all directories that have been enumerated; meaning, that it will drop as many ransom notes in a directory as there are supported data files that it has encrypted.  All ransom notes are named the same, and I have observed a full directory of 30 data files that have been encrypted to contain an additional 30 files of ransom notes.

 

Additional Interesting Activity Observed on Windows XP Devices:

 

On Windows XP, some interesting activity has been observed, including the creation and execution of two (2) bat files as opposed to one (1)  as observed on Windows 7.  An additional command-line utility was executed on an analyzed Windows XP device:

chcp.com 1251

What this does is it changes the language of the command-line terminal, and the identifier 1251 changes the language to Russian.

 

Additionally, local sockets were found to have been bound and connected on an analyzed Windows XP device:

Sockets bound:
    0.0.0.0:60640
    0.0.0.0:63737
    127.0.0.1:1045
 
Sockets connected:
    127.0.0.1:1045

As we commonly see with these ransomware cases, a huge thanks to Nathan for quickly reverse-engineering the binary, and allowing us to gather further information related to the key information, and exposing the inner workings of this new ransomware variant.  More updates to come.


Edited by White Hat Mike, 05 March 2015 - 08:14 AM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:26 PM

Posted 04 March 2015 - 08:10 PM

Malware spreaders are ready to anything to make money with these Cryptowares now, so sad. Will monitor this thread to see your updates and analysis. Let's see what we'll be facing this time. Was it tested against CryptoPrevent and HitmanPro.Alert yet?

Edited by Aura., 04 March 2015 - 08:10 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 08:27 PM

Malware spreaders are ready to anything to make money with these Cryptowares now, so sad. Will monitor this thread to see your updates and analysis. Let's see what we'll be facing this time. Was it tested against CryptoPrevent and HitmanPro.Alert yet?

 

Not sure, but I doubt it.  Seems to be brand new; Kafeine believes it is equivalent to TorrentLocker with just a different name, but I am performing static and dynamic analysis right now to confirm the additional information.  Will post information when I gather it all.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#4 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 08:36 PM

Initial findings:

 

  • Confirmed that the ransom note that is dropped is named READ IF YOU WANT YOUR FILES.html
  • Creates and launches randomly-named BAT files
  • Leverages the AUTOEXEC.BAT functionality
  • Edit: launches iexplore.exe (Internet Explorer) to display the ransom note
  • Initial observed action tree: creates bat file -> launches bat file -> pings localhost
  • Observed the appending of a 6-character file extension to affected files (.frtrss) will confirm with further analysis

 

Another edit: CryptoFortress absolutely DOES exhibit network activity


Edited by White Hat Mike, 04 March 2015 - 08:47 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#5 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 PM

Posted 04 March 2015 - 08:52 PM

Seems off. The only equivalent I see to torrentlocker is things any script kiddie could get (html source from site, ransom note etc.) it has a different tor site even for English, which remains static on all their variants, different ransom note name, and the biggest is no network traffic, as the real torrentlocker sends a ton. This could be someone trying to profit their bleepty ransomware off a successful one, which happens alot now. I'll get the dropper and reverse it soon.

 

Has anyone really confirmed RSA use in olly or Ida?

 

Again it could be TL, but always worth checking.


Have you performed a routine backup today?

#6 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 09:03 PM

Seems off. The only equivalent I see to torrentlocker is things any script kiddie could get (html source from site, ransom note etc.) it has a different tor site even for English, which remains static on all their variants, different ransom note name, and the biggest is no network traffic, as the real torrentlocker sends a ton. This could be someone trying to profit their bleepty ransomware off a successful one, which happens alot now. I'll get the dropper and reverse it soon.

 

Has anyone really confirmed RSA use in olly or Ida?

 

Again it could be TL, but always worth checking.

 

Still working on it, haven't gotten that far yet but I agree with you.  That information was initial information from a security vendor, but the more I look at this one the less I agree with what they've stated.  The language thing is interesting too, as it does launch CHCP.COM perhaps to identify the victim's country code / language?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 CyberProtectionGroup

CyberProtectionGroup

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 PM

Posted 04 March 2015 - 09:06 PM

Thanks White Hat Mike.  I haven't seen this variant.  Hoping not to :)



#8 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 09:07 PM

So a brief overview and review of quickly-jotted notes gives me the following suggested mechanism of action (in order):

  1. Executable is Launched
    1. Creates two (2) randomly-named BAT files
    2. Begins encryption process and drops ransom notes
    3. Sets Registry values:
      1. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet -> set to 0
      2. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect -> set to 1
  2. One (1) of the BAT Files is Launched
    1. Executes chcp.com (indicated by process creation; maybe for country code / language ID?)
    2. Launches ping.exe (likely to ping localhost?)
    3. Creates an additional PE file (.exe)
    4. Deletes the original PE file
    5. Deletes itself
  3. The Second of the Two (2) BAT Files is Launched
    1. Launches the VSSADMIN.EXE utility (indicated by process creation; deletes all Volume Shadow Copies [VSCs])
    2. Deletes itself

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#9 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 09:12 PM

Some of the TOR Gateways that are used:

  • connect2tor.org
  • door2tor.org
  • onion.cab
  • onion.city
  • tor2web.org

All with the subdomain of a random string / identifier commonly seen in ransomware variants

 

Provides the typical, expected reference URLs to download TOR as well as instructions

  • torproject.org
  • deepdotweb.com/how-to-access-onion-sites/

Also provides a TOR URL (<random>.onion)


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 09:27 PM

For now -- retracting previous statement that it definitely exhibits network communication...  not seeing any on this run of Win 7...  bing.com and microsoft.com likely just the default page of IE when it launches.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#11 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 11:10 PM

Here is a code snippet of some IDA output for Nathan...  I'm still learning Assembly Language, but I thought 0x0800 = 2048 bit RSA, 0x0400 = 1024 bit RSA, and nothing set in the upper 16 bits = 1024 bit.

 

Not sure if any of this info is helpful...

 

Spoiler

Here is some IDA output that I believe is relevant:

 

20zdz5k.jpg


Edited by White Hat Mike, 04 March 2015 - 11:13 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#12 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 04 March 2015 - 11:32 PM

CryptoFortress Dynamic Analysis Results -- Truncated

 

Tor Gateways Used:

  • connect2tor.org
  • door2tor.org
  • onion.cab
  • onion.city
  • tor2web.org

Tor URLs Used:

  • <systemIdentifier>.onion

Referenced URLs:

  • torproject.org
  • deepdotweb.com/how-to-access-onion-sites/

Initial Executable Launches BAT Files via Command Prompt:

cmd.exe cmd /c C:\<random>.bat

Creates the same mutex on all reviewed devices infected:

\Sessions\1\BaseNamedObjects\Catawba!

Some Evasion Functionality:

  • Checks for kernel debuggers
  • Checks the free space of the local hard drive
  • Checks if a debugger is running
  • Disables application error messages (SetErrorMode)
  • Extensive use of GetProcAddress

Process Tree:

  • <initial executable>.exe
    • cmd.exe
      • vssadmin.exe
  • vssvc.exe
  • svchost.exe

Copies original file -> original file name and extension and appends ".frtrss" to the name

  • Interesting note -- just because it is odd -- "FRTRSS" is a Netherlands-based company named "Fortress Social Branding"
  • Netherlands...  Company name is "Fortress Social Branding"...  Ransomware is known as "CryptoFortress"...
  • A bunch of Netherlands-based script kiddies trying to mask their identity with a legitimate company?  Interesting to ponder...

Activities By Process

Original Executable

  • Creates a BAT file, writes the following code to the BAT file
vssadmin delete shadows /all /quiet del /f /q %0
  • Enumerates the file system
  • Copies original file -> originalFileName.OgExtension.frtrss
  • Encrypts the data within the copied file
  • Removes .frtrss extension from copied file (did not notice any file deletions, assuming original is securely deleted)
  • Observed timestomping of certain files
  • Queries Registry Values:
    • ComputerName
    • OOBEInProgress
    • SystemSetupInProgress
  • Monitor Registry Key:
    • HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
  • Creates Mutex:
\Sessions\1\BaseNamedObjects\Catawba!

cmd.exe

  • Process created by the launched bat file
  • Command-line arguments:
cmd /c C:\<random>.bat
  • Deletes the created bat file
  • Queries Directories:
    • C:\ (with masks: <random>.bat, vssadmin *, vssadmin, <random>.bat
    • C:\Windows\System32 (with masks: vssadmin *, vssadmin.COM, vssadmin.EXE)
  • Creates Process:
C:\Windows\System32\vssadmin.exe
  • Terminates itself

Additional processes observed:

  • vssvc.exe (obviously as a result of vssadmin.exe launch)
  • svchost.exe
    • Notice some activity such as the enumeration of network shares and logical drives

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#13 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 PM

Posted 04 March 2015 - 11:52 PM

I have currently completely reversed the whole unpacked exe into C, and renamed all variables. Going through the whole code now.

 

Things i can confirm:

 

Infection uses RSA-AES.

The key is generated client side.

The infection doesnt make any network calls, or at least fails, as i do see a few network functions.

 

Here is the code all cleaned up and renamed if you interested. I should have the answer for you if the infection has a weak point or not soon.

 

http://pastebin.com/Hbu0TjRn


Have you performed a routine backup today?

#14 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:26 PM

Posted 05 March 2015 - 12:00 AM

I have currently completely reversed the whole unpacked exe into C, and renamed all variables. Going through the whole code now.

 

Things i can confirm:

 

Infection uses RSA-AES.

The key is generated client side.

The infection doesnt make any network calls, or at least fails, as i do see a few network functions.

 

Here is the code all cleaned up and renamed if you interested. I should have the answer for you if the infection has a weak point or not soon.

 

http://pastebin.com/Hbu0TjRn

 

Awesome.

 

I didn't notice any network activity when running through Win 7 and Win XP was the OS that used the additional command-line function, and did nothing but ping localhost.

 

Do you know what size RSA key is used?  I just found this before reading your post...

; Attributes: bp-based frame

sub_41B320 proc near
mov     edi, edi
push    ebp
mov     ebp, esp
push    0               ; hTemplateFile
push    0               ; dwFlagsAndAttributes
push    3               ; dwCreationDisposition
push    0               ; lpSecurityAttributes
push    3               ; dwShareMode
push    40000000h       ; dwDesiredAccess
push    offset FileName ; "CONOUT$"
call    ds:CreateFileW
mov     hConsoleOutput, eax
pop     ebp
retn
sub_41B320 endp

align 4
dd 2 dup(0CCCCCCCCh)
mov     edi, edi
push    ebp
mov     ebp, esp
cmp     hConsoleOutput, 0FFFFFFFFh
jz      short loc_41B373
cmp     hConsoleOutput, 0FFFFFFFEh
jz      short loc_41B373
mov     eax, hConsoleOutput
push    eax
call    ds:CloseHandle

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 PM

Posted 05 March 2015 - 12:37 AM

It has network activity on my end. Quite disturbing local network activity actually. This is going to be a bad one. Story should be done soon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users