The Children of CryptoLocker, Part 1. Critroni, CryptoWall, DirCrypt

The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used regular WinRAR for encryption and Sysinternals SDelete for deleting encrypted files, and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that established the bad trend among virus writers to use the latest achievements in cryptography as quite stable encryption algorithms. Today, we will investigate several encryption-based trojans which emerged after the notorious spread of CryptoLocker on the internet (or at the same time).

WARNING


If you want to follow our example and research a sample of an encryption-based locker, please be careful. Even if you use a virtual machine, it is possible to accidentally encrypt the files in the shared folders of the main system.

A demand for at least five thousand dollars for decryption of Trojan.ArchiveLock

A demand for at least five thousand dollars for decryption of Trojan.ArchiveLock

Some statistics

From the point of view of creators, encryption-based trojans are real cash. To organize the mailout of infected spam emails and a service for accepting payments from those who cherish their family photographs which have suddenly became encrypted is much simpler and cheaper than to elaborately construct and develop a botnet (which then has to be placed somewhere) or collect data from infected machines, considering the fact that this data also needs to be somehow monetized.

This is why this type of cyber-ransom continues to flourish and bring lots of money to the organizers of this criminal business. For instance, according to Kaspersky Lab, 2014 saw more than seven million attacks using encryption-based trojans of different families.

The number of attacks using encryption-based trojans in 2014 according to Kaspersky Lab

The number of attacks using encryption-based trojans in 2014 according to Kaspersky Lab

Distribution of attacks using encryption-based trojans in the first quarter of 2015 by country (information by TrendLabs)

Distribution of attacks using encryption-based trojans in the first quarter of 2015 by country (information by TrendLabs)

Most of this stuff gets inside their potential victims' computers disguised as useful and highly necessary attachments in spam letters (if you remember, that's how CryptoLocker spread). However, the followers of CryptoLocker decided not to limit themselves to just this channel for distributing their creations, so they added another one — drive-by downloads (for example, encryption-based trojans Alpha Crypt and CryptoWall are often spread using famous Angler EK or Nuclear EK exploit sets).

Angler EK and Nuclear EK, suspected of distributing CryptoWall encryption-based trojan and TeslaCrypt at malware-traffic-analysis.net

Angler EK and Nuclear EK, suspected of distributing CryptoWall encryption-based trojan and TeslaCrypt at malware-traffic-analysis.net

Critroni (CTB Locker)

This encryption-based locker appeared about a year ago. CTB is an abbreviation which stands for Curve-Tor-Bitcoin. The main difference of this locker from many others is that it uses an algorithm based on elliptic curves for file encryption.

An ad selling Critroni (CTB-Locker) on one of the forums

An ad selling Critroni (CTB-Locker) on one of the forums

In the register's autorun branches it has quite a decent name. For instance, two samples that we investigated impersonated a Microsoft on-screen keyboard. The virus file is packed using Pencrypt 3.1. to hide its contents from prying eyes and to complicate analysis.

Critroni (CTB-Locker) in the register's autorun branches

Critroni (CTB-Locker) in the register's autorun branches

File encryption

Critroni doesn't encrypt many types of files, mostly MS Office documents, text documents and database files:

Files are encrypted in several stages:

  • the file selected for encryption is placed in a temporary file using MoveFileEx API function;
  • this temporary file is read off the disk block-by-block;
  • each read block is compressed using the deflate function of zlib library;
  • the compressed block is encrypted and written on the disk;
  • the information needed for decryption is put at the beginning of the file;
  • the encrypted file gets a "ctbl" extension.

CTB-Locker uses the so called ECDH (Elliptic curve Diffie—Hellman) algorithm.

At first, Critroni generates two main keys — master-public and master-private. To do this, it takes SHA-256 hash from a 34-byte random number consisting of:

The master-private key is sent to a command server and is not saved on the infected machine (it is also encrypted using ECDH and it is impossible to view it when it is sent). Session-public and session-private are generated for each encrypted file. Then, the session-shared = ECDH (master-public, session-private) value is computed, SHA-256 hash from which is used as key for file encryption with AES-256 algorithm. Thirty-two bytes of session-public and 16 bytes of service information are written at the beginning of the encrypted file for searching the required master-private key on the command server.

In summary, it is impossible to decrypt the files without the master-private key, and this key, as we have explained, is stored on a C&C server in the .onion domain extension.

The result of Critroni activities

The result of Critroni activities

Connection with the command server

The samples which we received for investigation in our magazine's (anti)virus laboratory had a C&C center located in the Tor network and the domain name embedded in the trojan's body. The connection is made through a Tor client launched in a separate torrent. The whole code, which performs the exchange with the command server in the ".onion" extension, has been taken almost unchanged from the sources of the widely known "tor.exe."

A part of Tor client inside Critroni (command server address and sent commands are highlighted)

A part of Tor client inside Critroni (command server address and sent commands are highlighted)

CryptoWall

The massive spread of this malware was recorded in the first quarter of 2014, however, according to some sources, the first samples were identified as early as in November 2013. This family is also famous for two versions — CryptoWall 2.0 and CryptoWall 3.0. Version 3.0 (despite losing several capabilities as compared to the previous version) has now almost completely replaced version 2.0. According to some sources, CryptoWall brought its creators more than 1.1 million dollars in the first 6 months of operation.

File encryption

The list of encrypted files is quite big; it's not only owners of MS Office documents and photographs who should be aware of this locker, but also software developers:

First of all, CryptoWall disables file recovery from shadow copies and recovery points, executing the following commands:

Encryption starts after the public RSA key is received from the C&C server. In contrast to other lockers, CryptoWall encrypts files using RSA-2048 algorithm, while most others use RSA to encrypt the AES key, which the files were encrypted with. The RSA algorithm is rather resource-intensive and creates a big load on the system, which may indirectly indicate CryptoWall infection.

Connection with the command server

Depending on the modification, connection with command servers may be established either via Tor (for this, tor.exe is downloaded and installed) or through an anonymous I2P network. All names of command servers are embedded directly in the trojan's body, with the transferred data encrypted by the RC4 algorithm.

Analysis difficulties

The trojan's code has an elaborate multi-level encryption. During the first decryption stage, the trojan reads a large part of the encrypted code, decrypts it and saves it to the buffer. The second stage of code decryption starts with the byte array (0x35, 0x5e, 0x74) inside the code saved at the first stage. As soon as this place is determined, the data is decoded to stack. The third stage commences with execution transfer to the code, which has been placed in the stack. At this stage, the resources encrypted with Base64 are decrypted. The decrypted resource is the final CryptoWall code.

In version 2.0, at the second stage, the trojan checks the availability of a virtual environment or a sandbox: it searches for processes VBoxService.exe, vmtoolsd.exe or downloaded library sbieDLL.dll.

CryptoWall 2.0 looks for VirtualBox

CryptoWall 2.0 looks for VirtualBox

In addition to the above, when launched, the trojan creates a fake process explorer.exe, where it writes its code, it launches it with a separate torrent, and terminates its own process. The fake explorer.exe, in its turn, launches vssadmin.exe and bcedit.exe to destroy shadow copies and system recovery points, as well as fake svchost.ese, which is also infiltrated with a malicious code, and CryptoWall starts its operation disguised as this process.

Sequence of CryptoWall locker's run process

Sequence of CryptoWall locker's run process

Dirty (DirCrypt)

This appeared at about the same time as CryptoLocker (some antivirus companies date Dirty even a little earlier — back to July 2013).

Intimidating Dirty wallpaper

Intimidating Dirty wallpaper

File encryption

DirCrypt doesn't encrypt many types of files, mostly documents and photographs:

Two algorithms are used for encryption: RC4 and RSA. The first algorithm is used to encrypt the whole file and the encryption key is added to the end of the encrypted file. The second algorithm is used to encrypt the first 1024 bytes of the file using the public key embedded in the locker's body; the encryption key can be received from the command center after payment of 200 dollars.

Connection with the command server

Dirty generates the names of command servers based on two 4-byte seeds contained in the resources section. Altogether, the domain name generation algorithm can generate thirty command center names. All command centers are located in the .com zone and have aesthetically questionable names such as: rauggyguyp.com, llullzza.com, mluztamhnngwgh.com, mycojenxktsmozzthdv.com, inbxvqkegoyapgv.com.

Dirty C&C server name generator at work

Dirty C&C server name generator at work

Communication with the command center is performed as open text without any encryption, the public key is delivered and, after confirmation of payment, the RSA key for decryption is sent.

Analysis difficulties

While operating, Dirty looks for processes containing the following names — taskmgr, tcpview, filemon, procexp, procmon, regmon, wireshark, LordPE, regedit and if successful terminates the identified "dangerous" processes.

Additionally, all text lines and other data are stored in the locker's body in encrypted form.

Decrypted lines inside Dirty

Decrypted lines inside Dirty

Continue: The Children of CryptoLocker, Part 2


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">