Magic Ransomware support topic. Magic.exe executable and adds .magic extension

Several machines have been hit with this one in the past few days, including my own server. It encrypts documents, videos, music, and pictures. The file extension is .magic, the virus is magic.exe, and it leaves two text files on the desktop.
 
DECRYPT_ReadMe.TXT has the ransom note, which can be read easily in the pastebin
 
DECRYPT_ReadMe1.TXT is a list of the affected files
 
Oddly enough, it was manually sent to my server through my teamviewer account.
 
The entirety of the code was posted on pastebin three days ago.
https://pastehistory.com/?id=hH58bMjR
 
Has anyone else seen this one?
 
Edit: The machines I had hit were running Windows 8.1 and Server 2012
 
With this Reddit post, I'm only up to four people I've seen hit with it in three days.
https://www.reddit.com/r/techsupport/comments/422cp5/some_files_on_pc_got_magic_extension_added_to_them/

Edited by Grinler, 23 January 2016 - 09:02 AM.

Interesting, I've not heard of it (not that I'm super-embedded in the security sector).

 

If you have the magic.exe and a sample encrypted file, that would definitely help. Ransom note too to be safe, but the contents of it are already in the source code. It looks like the server in the source is no longer serving those pages. Having that C# source will surely go a long way in understanding the encryption method, but I wonder if it is the final result of what was compiled to the executable?

 

I would make sure to change your TeamViewer password immediately if you haven't already, that probably goes without saying.

 

I can only say that it looks to be using 256-bit AES to encrypt the file, which isn't going to be something we can brute-force directly, but there could always be another way of getting the key. I'm no expert on this though, so take that with a grain of salt - I'm still learning.

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit samples of any encrypted files and ransom notes here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

It's based on eda2:

 

https://github.com/utkusen/eda2

 

I suggest contacting the author (http://www.utkusen.com/en/). After all, he was the genius that thought publishing a fully working ransomware including instructions on how to customize it is a good idea. From what I can tell just looking through the code, it is unlikely there will be a way to fix it.

Thanks for giving me a look! Definitely changed every password I've used on the machine afterwards

 

Here are the three files left on my desktop by the attack, as well as a couple affected files. I did cut out most of the text file showing the affected files, just because I didn't feel like flashing the entirety of my file structure around, but I left enough to get an idea.

 

Be careful, obviously, all I did was zip it up.

 

Edit: I didn't refresh until I'd set up the drive link. I've submitted the files properly now.

Edited by Retry2, 22 January 2016 - 02:36 PM.

It's based on eda2:
 
https://github.com/utkusen/eda2
 
I suggest contacting the author (http://www.utkusen.com/en/). After all, he was the genius that thought publishing a fully working ransomware including instructions on how to customize it is a good idea. From what I can tell just looking through the code, it is unlikely there will be a way to fix it.

 
Well, fun. So what about chances of it being used by script-kiddies who don't know how to secure a PHP-hosting server? Could be the best bet if they leave some defaults in place.
 
 

Are you guys using the teslacrack method?

I'm not sure if this one would be open to a factorization attack, I think that was specific to how TeslaCrypt stored the key with multiplication.
 
I'll see if I can take a look at what C&C yours is trying to call and see if it is exploitable maybe.
 
I would suggest trying recovery software such as Recuva. I don't see a secure wipe implemented, so you could get lucky with that.

It's based on eda2:

 

https://github.com/utkusen/eda2

 

I suggest contacting the author (http://www.utkusen.com/en/). After all, he was the genius that thought publishing a fully working ransomware including instructions on how to customize it is a good idea. From what I can tell just looking through the code, it is unlikely there will be a way to fix it.

 

Wow that was quick. Thank you.

 

Any suggestions on how to word THAT awkward email? I don't know where to begin.

 

 

Edit: This is the email I sent

The code from pastebin is below

https://pastehistory.com/?id=hH58bMjR

Edited by Retry2, 22 January 2016 - 02:52 PM.

Taking a look through the original project's PHP files, I don't see a exploitable weakness, but I see a potential flaw; there would be a storage collision, as it only matches keys with the machine's name. So, for instance, it will store the latest key for "Owner-PC", and if anyone else has that same machine name, their key is overwritten. This means you aren't guaranteed to be given the right key even if you do pay, unless you have a really unique computer name. Even the generation of the keys themselves could collide if you have the same computer name and username as another victim.

 

Hopefully that is a null point if this one doesn't get too popular (we can only hope).

 

In the executable you linked, I get the follow website pages:

http://reloaded.orgfree.com/new/my.php
http://reloaded.orgfree.com/new/your.php

That domain redirects me an "account was terminated" page, so they may have been taken down. I don't think that helps your case I'm afraid if we cannot get those keys from their database.

 

I'd have to suggest checking Recuva or other "undelete" software, I see that as being your only option at this point.

 

I'd have to suggest checking Recuva or other "undelete" software, I see that as being your only option at this point.

 

Good looking out, but sadly none of the files I was worried about are recoverable.

Shame. I find that odd since it literally just "moves" the file, I see no delete function in the source.

 

I took a bit further look, and it never stores the public key on your system. It sends your computer name ("My-PC" or whatever) to the server, which only uses that to store it in the database with a totally random private 2048-bit RSA key. The public key is spit back to the malware, which simply holds it in memory to encrypt the encryption key, which is sent back to the server and stored in the database (assigned to your computer name, which once again could collide with another user's computer name very easily). The password for your files is a 32-character password randomly generated string, which is only ever sent to the server encrypted. The file itself contains no data, the entire thing is encrypted with no "header", and the ransom note has nothing to uniquely identify you; only your computer name.

 

Seems like a mishap for grand-scale operations on their end, as you would not be able to decrypt the data if the user formats the computer or simply re-names their computer.

 

I have only two ideas.

 

1. If network activity was captured during the infection time, we'd have the encrypted keys that would need to be cracked (I think one is RSA, so there would be "some" chance in time), but this is very unlikely unless you are recording with Wireshark all the time randomly... even if a firewall caught the URL and such out-bound, the data is sent with POST, so it wouldn't be usually saved easily.

 

2. Brute-force. I'm crunching numbers to see if this would be feasible. I see something that makes me think it is, but it's so easy to not realize how off the odds are when you're dealing with huge numbers (read: I'm still learning, lol).

 

 

As an aside, how did you find that Pastebin page with the source? Was it just by searching the ".magic", and we're assuming this is the exact same source as what hit you? Or was it left behind on the system and you posted it there?

I actually opened the magic.exe in notepad and a surprising amount of it is human readable. I hadn't even noticed the ransom note at the time. That's when I looked for the ransom note. (there are too many text files on my desktop) Then I searched for words from the ransom note on google. The moment you bring it down to within the last week that pastebin pops up. The bitcoin address and email addresses gave it away from there.

 

A thought, would a copy of a file that had been encrypted and an identical unencrypted file be helpful?

Edited by Retry2, 22 January 2016 - 07:15 PM.

Hi Retry2,

Sorry to hear about your issue. Let us know if you ever hear back from utkusen.com.

The C2 server that was used by your variant has been shutdown, but i asked for a copy of their DB. If we can get it hopefully one of our resident gurus can whip something up for you.

Fabian confirmed brute-force is out of the question. I was naive in thinking 68³² combinations wasn't a big deal for a GPU, but it definitely is. We would need to be able to guess 1.39 × 10⁵⁰ combinations per second to get it within a year.

 

If we get a hold of that database, a decryptor would be easy to make. In the meantime, I would capture the name of your computer and the username of the profile that was infected, and archive that with the encrypted data in hopes of the future. You can capture these from command line easily.

echo %COMPUTERNAME%: %USERNAME% > computer-name.txt

This will allow for matching your key from the database.

Hello looking for a eda2 c2 host searching google and find two sites.

 

comet.esy.es/main.php  test:test

 

www.simplusx.be/panel/login.php   username and password changed.

Maybe this can help.

Edited by anonymoushost, 23 January 2016 - 04:42 PM.

I looked at the reloaded control panel and unfortunately the DB was empty.