CryptXXX Ransomware: Simple, Evasive, Effective

CryptXXX emerged a few weeks ago and it’s been sneaky! It’s most impressive feature is the simplicity of its evasion techniques, which are giving it an advantage over most security systems. This has resulted in a very low detection rate for new samples and a high success rate on the malware’s part.

According to the decryption messages and deployment method, both propagate by Angler Exploit Kit, CryptXXX seems very similar to TeslaCrypt, but it’s different in essence.

Figure 1 – CryptXXX HTML message

Figure 2 – TeslaCrypt Ransom Note

Figure 3: CryptXXX Ransom Note – containing the same text

Whether or not the developers are related, they have learned a great deal from their predecessors – they are avoiding every single point of detection.

Moving away from TeslaCrypt

Figure 4: TeslaCrypt – SandBlast Agent Forensics Signature

Tesla became common last year and adopted many behaviors from his successful competitor at that time – CryptoWall, including the ransom messages “look and feel”, also used by CryptXXX.

These behaviors helped security vendors develop detections against it:
• Storing the sample and encryption code in an executable
• Deleting the shadow copy
• Using command line for self-deletion
• Copying itself with a different name

CryptXXX does none of those:
• Not a single executable file
• No shadow copy deletion from VssAdmin or WMIc
• No self-deletion

Using Microsoft’s own binaries

CryptXXX is a .dll (Dynamic Link Library), which is a type of a shared library; meaning it contains files that can be used by multiple programs simultaneously. There is no self-process executable in the whole operation of CryptXXX.

All the executables used are actually well-known, signed Windows processes. This is the simplest way to evade advanced threat prevention sandboxes, showing again that malware developers adapt to their environment.

Figure 5: CryptXXX – SandBlast Agent Forensics Signature

CryptXXX dll is hostd by “rundll32” – a Windows executable. The command line is simple –
Rundll32.exe , . The dll name is called without the .dll extension, which is suspicious in itself, and the function name seems to be irrelevant. The code actually starts when the dll is loaded.

Furthermore, rundll32.exe windows binary is actually being copied to other locations with the name of “svchost.exe” and then executed in the exact same way as the previous rundll32.exe.

Figure 6: executing Svchost

This is brilliant in its simplicity: tools such as “task manager” or “Process Explorer” will simply show “Svchost.exe”, one of many others with the same name.

Figure 7: Task Manager View of CryptXXX

Looking at the process properties, it will seem as a Microsoft signed executable, which it is – just not the one it looks like. This will fool automatic tools by using the known signatures and users by its similarity to known processes.

There are, however, some slight differences that can raise suspicions:
• The location used to run the software is not the default (“Downloads’ folder in this case, “%programdata% in others).
• The process parameters fit the parameters of Rundll32, which not the usual case for svchost.
• It is not a “service” and is launched with a regular user’s permissions.
 

 Evading sandboxes

Dynamic-linked-libraries (.dlls) are not executed by themselves. They require an executable to launch them. Most sandboxes will fail to do so and thus will not detect new samples of CryptXXX.

If this is not enough – CryptXXX has no rush. It can delay execution for a long time, even more than an hour. This will trick most traditional sandboxes, which are capable of running for just a few minutes without resuming after delays.

The network activity, which is used in many cases for detection and blocking of key exchanges, is also reduced here to the very minimum, just two HTTPS calls – one to a completely unknown IP apparently located in Germany.

Figure 8: HTTPS call to unknown IP

A continuous evolution

CryptXXX may look similar to TeslaCrypt, but it has clearly done some homework. Even though the encryption of some of its versions has been broken, it is far from giving up. Judging by the different samples, it is still evolving and we will see more of it.