Wednesday, November 30, 2016

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Sincerely Yours,
Bank of America
Customer Relations Department
.

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 
hxxp://eileenparker[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - Pay for Credit Debt when Possible - 
hxxp://thehousepartnership[dot]co[dot]uk/wp-content/themes/twentyten/redirect[dot]php

Subject - Please Settle Credit Arrears Shortly - 
hxxp://chris-smith-web[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://infopro[dot]it/wp-content/themes/twentyeleven/redirect[dot]php

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

hxxp://95[.]163[.]127[.]179/777[.]exe
MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
xxxxxxxxxxxxxxxxxxxxx
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptsen7fo43rr6.onion/
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

 hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
.
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.


To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!

Wednesday, November 09, 2016

Kronos Banking Trojan and Geo-Targeting from Kelihos

Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos

I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)

Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-geo-targeted.html, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk.  Second, it targeted users in the United States to download a social media management tool “Kuku.io.”  Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses.  As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-panda-zeus-to.html. This behavior was bizarre and never observed before this event.



Money Mule Spam

A brief report of the various geo-targeted spam is provided below.

1. Australia - Spam for email addresses ending with ".au" 

Email text is as follows:
Subject: Available Position
Hi,

The Successful Company is hiring full/part-time employee for an Administrative Assistant position
(Customer Care Team) who can take a part oversee development projects in AU and NZ. This
opportunity is smart for everybody who ready to work as little as a several hours per weekday,
however you will apply for a full time position as well. Competent training programs are accessible
for the applicants. Work experience isn't required at all.
Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get more
details concerning a vacancy.
Best Regards

cargoinvestmentmiltonlogistics@gmail[dot]com
.


An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.

Some of the email subjects being used include:

Subject:  Available Position
Subject: Employment
Subject: Job Offer
Subject: Open Vacancy

2. Italy - Spam for email addresses ending with ".it"

<== Italian Money Mule spam || Google Translate ==>
Original text of the email being spammed is as follows:

Subject: Assunzione al lavoro

Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale
hr@acigl[dot]net

Distinti saluti
Sandra Trevor,
Responsabile del personale
hr@acigl[dot]net


Some of the email subjects being used include

Subject: Assunzione - collocamento al lavoro
Subject: Assunzione al lavoro
Subject: Cerchiamo collaboratori in vostra area
Subject: Cerchiamo collaboratori in vostra citta
Subject: Cerchiamo collaboratori in vostra provincia
Subject: Cerchiamo collaboratori in vostra regione
Subject: Lavoro part-time
Subject: Ricerchiamo collaboratori in gruppo operante a livello globale

3. UK - Spam for email addresses ending with".uk"

Subject: Wow amazing girl..Read that article

Hey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant 
reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about 
the soft trading market - it doesn't require any specific skills at it, all is automated.
Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff 
works with a demo!
Take the best out of it!
P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/

.

Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.

Following Domain name is hosted on 162[.]255[.]119[.]249 and has been dominantly hosting various phishing websites https://www.virustotal.com/en/ip-address/162.255.119.249/information/. Information found on Domain Tools is mentioned below.

Information from Domain Tools
Information about the registrant.

Domain Name:                              NEWSDEP3-TELEGRAPH.CO
Domain ID:                                   D153329223-CO
Sponsoring Registrar:                   NAMECHEAP, INC.
Sponsoring Registrar IANA ID:   1068
Registrar URL (registration services):  http://www.namecheap.com
Domain Status:                             clientTransferProhibited
Registrant ID:                               70G0X0PHDOIUNYLZ
Registrant Name:                          WhoisGuard Protected
Registrant Organization:               WhoisGuard, Inc.
Registrant Address1:                     P.O. Box 0823-03411
Registrant City:                             Panama
Registrant State/Province:             Panama
Registrant Postal Code:                 0
Registrant Country:                       Panama
Registrant Country Code:              PA
Registrant Phone Number:            +507.8365503
Registrant Facsimile Number:       +51.17057182
Registrant Email:                           76fb43b32d694e49a7cf070f148b6aae.protect@whoisguard.com

Some of the email subjects being used include

Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article

When visited the URL it redirected to
hxxp://www[dot]talegraph[dot]co[dot]uk/investor/ideas/from-zero-to-hero-mom-vanessa-makes-8000-per-month
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.

Whois & Quick Stats
Dates Created on 2016-09-27 - Expires on 2017-09-27 - Updated on 2016-09-27  
IP Address 185.110.173.76 is hosted on a dedicated server  
IP Location Netherlands - Zuid-holland - Papendrecht - It-ernity Internet Services Bv
ASN         Netherlands AS21155 ASN-PROSERVE Amsterdam,, NL (registered Sep 11, 2001)
Whois History 4 records have been archived since 2016-10-01  
Whois Server whois.nic.uk


Webpage of talegraph

As it can be viewed, following is a fake website portraying telegraph newspaper.






Social Media Management Tool


Kuku.io It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed http://garwarner.blogspot.com/2016/07/pokemon-go-invitation-to-spammers.html. In continuation to these attacks, the Kelihos spammers are now inviting users to download Kuku.io, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.

Email being spammed is as follows:
Subject: Need your opinion

Hi,
I'm with Kuku.io, it's a social media management tool the key characteristic of which is to schedule and create
content on various networks at the same time. What's more you also encourage your clients to share, like and
follow your posts.
Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.
Check us out at: hxxps://kuku[dot]io/a/ms
I appreciate your time. I'm looking forward to receiving any of your comments!

Regards,
Michael
hello@kuku.company
.

Some of the email subjects being used include:

Subject: Need your opinion
Subject: Need your feeback
Subject: Please let me know if this is of any interest

When visited the webpage mentioned.
Webpage of Kuku[.]io

Kronos Banking Trojan

Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max  found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously.
Pictorial view of the document icon on the Desktop

On further scrutiny, we found that during the capture, Kelihos did a GET request to download the document.

hxxp://topswingusa[dot]top/qivi/oldversion[dot]doc - Get request https://www.virustotal.com/en/file/e6071f9205ed8540df9612d3f1a001f497931fc76dee43fee1e77750d00df256/analysis/


IP address of topwingsusa[dot]top - 167.88.160.146 https://www.virustotal.com/en/ip-address/167.88.160.146/information/
 
Virus total result of topswingusa[dot]top https://www.virustotal.com/en/url/56f79838c296ac58ab81cd6571187bc1abcb33f6cb395bcebfd9db966224d4dc/analysis/



An interesting string found in the process hacker was "  UPLD save to: C:\Users\malware\Desktop\oldversion.doc"

Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.


Enable Editing
 The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.

Enable Content
After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.

Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.




Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.

This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:
hxxp://topswingusa[dot]top/qivi/mswords2k8[dot]exe, 
which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware. 

On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.

Downloader and Kronos malware

 Another interesting observation found in the debugger is presence of a string named "BOTID"

BOTID found in OLLYDBG



Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.


Wednesday, November 02, 2016

NullCrew's Orbit, AKA Timothy French gets 45 months

This week, NullCrew hacker "Orbit" who is known to his jailers as Timothy French, was sentenced to 45 months for his role in several high profile hacking cases, including the University of Hawaii, the University of Virginia, the State Department, and Bell Canada.  The Criminal Complaint released by the Department of Justice has many more details.


For some reason, despite the criminal prosecution, one of the two official Twitter accounts of NullCrew is still live as of this writing.  The founders of NullCrew loved to depict themselves as ASCII Art aliens in their old-school-style ezine, FTS (Fuck The System), which made it to issue #5 before they began being arrested. (FTS Issue #5 is available at exploit-db.com
https://www.exploit-db.com/papers/32984/ )


Time Warner - March 6, 2013





FTS2014 will give you a sense of the way these guys think.  By the way, all of the Twitter accounts they claimed to be using in this magazine are still live today. ( @NullCrew_FTS, @siph0n_NC, and @zer0pwn)

pastebin.com/S0FfCpa2
A few days later they tweeted this post:

15 Jan 2014
Just had a talk with , this is going to be fun.



The 40,000+ userids and passwords, dumped from a database server, are still available online. 


Catching Orbit

Orbit was primarily caught because there was a snitch within NullCrew.  The snitch, described as a "CW" in the criminal complaint, or "Collaborating Witness", wanted to be able to tweet "officially" for NullCrew, and was granted permission to the shared Twitter account.  Once the CW had access, they checked the login history and found an IP address in Morristown, TN.   Charter Communications was able to provide a subscriber street address for the IP 24.151.251.118.  This IP came up repeatedly in the course of the investigation, being used to plant a hacked .php page on a University server, regular accessing a shared hacking platform in Chicago and more in hacked business accesses.

My favorite story, however, was of the auto accident.

(Updated: the admins of siph0n.net contacted me to make clear that their site has no association with siph0n the NullCrew member.  We've removed that portion of this article at their request.)


Getting to the Sentence

Part of the defendant's problem as sentencing approached was that Mr. French, who goes by the name "TJ" for "Timothy Justen", boasted over much about his association with many truly evil hackers over the years.  TJ claimed, according to his pre-sentencing memo, did claim to be a member of Team Poison, but denied emphatically that he had been involved with the TeamPoison April 2012 hacks against NATO and the United Nations, and the August 2011 hacks against NASA.  TeamPoison was run by Trick, aka Junaid Hussain, who was recently killed by a Hellfire Missile strike after becoming the leader of ISIS's hacking forces, and repeatedly hacking the Department of Defense.

Zer0pwn, one of the other arrested members of NullCrew, updated his Twitter profile to give as his description  "victim of sabu's wrath" implying that perhaps Sabu was involved with their arrests.

Facing a possible seven year sentence, one of the things the defendant appealed to was the relatively lenient sentences for people who had performed similar crimes.  TJ's attorney appeals to cases such as Nicholas Knight (from Team Digi7al) who confessed to hacking DHS, the National Geospatial Intelligence Agency, and assorted universities and businesses but was only sentenced to 24 months.  He lists several other cases, but comes back to a 17-year old hacker who also received only 24 months, concluding:

"This 24-month sentence alone compels a sentence for TJ far below the government's asserted guideline range in order to avoid unwarranted disparities."  (We wrote previously about how these "slap on the wrist" sentences were leading to others charging "unwarranted disparities" on behalf of their clients.   See: "Hacking, Carding, SWATting and OCD: The Case of Mir Islam

Several of my professional colleagues have commented that this sentence seems to hefty, but they were unaware of the extent of the damages to Bell Canada.  While Null (the Quebec citizen) identified the breach potential, it was Mr. French that took that information and used it to rampage through the files of Bell.ca.  "According to prosecutors, million of files were exfiltrated and 300,000 of them contained client information. At the time of the hack, Bell Canada said 22,421 login and password combinations along with five credit card numbers were exposed, but court documents indicate the number was smaller. Orbit later allegedly posted approximately 12,700 logins and passwords online and Tweeted a link to the data."