In reviewing recent anomalies in our threat traffic, Omri Givoni, who heads up our Threat Prevention Cloud Group, noticed a spike of more than 100,000 events in our detections on leap day, February 29th, 2016. Zeroing in on the event, we isolated one SHA1 7429b5b4c239cb5380b6d7e4ffa070c4f92f3c79, which strangely did not show any incidents either before or after that date.
A quick examination showed this was indeed a unique campaign based on a new TeslaCrypt variant, which on the leap day would have been detected by only four AV vendors according to VirusTotal.
Why do a spike campaign?
Ransomware infections are now the top trend in the eyes of customers and security firms alike, taking the place of the banking malware as a major concern. For that reason ransomware Command and Control servers (C2) are quickly exposed. Signatures issued for the specific files and the C2 domains are moved to the blocking lists.
Therefore in order to make the ransom operation successful, the attackers must get to their targets as fast as possible to maximize infections before the AV companies start updating their signatures or C2 databases mark their servers as malicious.
On the campaign day, VirusTotal which shows scan results of 56 AV vendors, the campaign payloads had only four detections.
Using machine learning, our sandboxing solution SandBlast detected this malware before it reached the endpoint by matching the TeslaCrypt ransomware on its first run without the need for signatures. Here is a report of our generic detection:
Breaking up the attack
The attack starts with a mass email spam campaign to obtain as many email inbox targets as possible before spam filters detect it and AV create a signature.
This is a social engineering message designed (somewhat poorly, given the spelling error in the salutation and the rather large sum claimed to be late) to trick the user into opening the attached file due to the fear of penalties. The attachment, appearing to be a .doc file based on the extension, is actually a JavaScript file, archived in a zip file. Opening the JavaScript will result in the script running, which will download and execute TeslaCrypt.
Once infected
If executed this ransomware will encrypt your files, even without internet communication using a custom key recovery algorithm, renaming them as old_name.mp3 probably to avoid behavioral detection of writing new files with high entropy. It will then display the following ransom message:
Screen shot of file encrypted on a directory
Conclusion
Improvements by AV products in quickly updating signatures for new variants has resulted in greater use of spike campaigns in order to deliver previously unknown threats to a mass audience, and get to the victims. Detecting previously unseen threats is crucial in order to prevent infection.
Check Point AV and Network Anti-Malware clients are currently protected from this threat, and remained protected shortly after the signature was updated after discovery. Check Point SandBlast customers were also protected from the inception of this attack.
Appendix 1 – SHA1s distributed by the javascript
0a0f37d161448588caac7b7d077dbb5893c822dc
10a3e03bd752e6dd6cac475542fba24359a2f68a
26084d512fad7bf26fad942f3434a8c35b2088c8
2b1eceb2b4d9f176ccc093d763c9f0ea688e99e4
3ff40f19296c6d4ea47a2be9e937b9af7c34617b
5a029670474e81b032551d12630a2819dfcf967a
8fbaf18c39a4415c8ded47b16f385d20cd37a978
ca533304be2c72b5876d756634b2b3207793260d
df66e2fd3a05c805d9b6f25d62ee67cdf4decc3e
Appendix 2 – Command and Control URLs contacted by the ransomware
“hxxp://3m3q[.]org/wstr.php”
“hxxp://biocarbon[.]com.ec/wp-content/uploads/bstr.php”
“hxxp://biocarbon.com[.]ec/wp-content/uploads/bstr.php”,
“hxxp://conspec[.]us/wp-content/plugins/nextgen-galleryOLD/products/photocrati_nextgen/modules/i18n/wstr.php”,
“hxxp://gianservizi[.]it/wp-content/uploads/wstr.php”,
“hxxp://goktugyeli[.]com/wstr.php”,
“hxxp://imagescroll[.]com/cgi-bin/Templates/bstr.php”,
“hxxp://iqinternal[.]com/pmtsys/fonts/wstr.php”,
“hxxp://music.mbsaeger[.]com/music/Glee/bstr.php”,
“hxxp://newculturemediablog[.]com/wp-includes/fonts/wstr.php”
“hxxp://opravnatramvaji[.]cz/modules/mod_search/wstr.php”,
“hxxp://ptlchemicaltrading[.]com/images/gallery/wstr.php”,
“hxxp://ricardomendezabogado[.]com/components/com_imageshow/wstr.php”,
“hxxp://saludaonline[.]com/wstr.php”,
“hxxp://stacon[.]eu/bstr.php”,
“hxxp://suratjualan[.]com/copywriting.my/image/wstr.php”,
“hxxp://surrogacyandadoption[.]com/bstr.php”,
“hxxp://tmfilms[.]net/wp-content/plugins/binary.php”,
“hxxp://worldisonefamily[.]info/zz/libraries/bstr.php”