Security News

Ransomware purports to be from National Security Bureau (Dec 12, 2014)

By

The Dell Sonicwall Threats Research team has recieved reports of a relatively new Ransomware Trojan that tries to extort money from its victims. It does not encrypt files as with Ransomware such as CryptLocker or Cryptowall but it does infect various file types found on the system such as image files.

Infection Cycle:

The Trojan uses the following icon:

The executable is obfuscated in an attempt to deter reverse engineering:

The Trojan contacts google.com to verify internet connectivity:

The Trojan makes the following DNS query:

      google.com

The Trojan adds the following files to the filesystem:

  • %ALLUSERSPROFILE%zaQUUoEg nEckMYsg.exe [Detected as GAV: Obfus.3_2 (Trojan)]
  • %ALLUSERSPROFILE%zaQUUoEg nEckMYsg.inf
  • %USERPROFILE%HuEwIQMEhmgAEcws.exe [Detected as GAV: Virut.CM (Trojan)]
  • %USERPROFILE%HuEwIQMEhmgAEcws.inf
  • %USERPROFILE%Local SettingsTempfile.vbs

file.vbs contains the following data:

      WScript.Sleep(50)

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun hmgAEcws.exe “%USERPROFILE%HuEwIQMEhmgAEcws.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun nEckMYsg.exe “%ALLUSERSPROFILE%zaQUUoEg nEckMYsg.exe”

The Trojan communicates with a remote C&C server using encrypted traffic:

The Trojan then locks the system by displaying the following fake warning:

The warning states that pirated software has been found on the system. It purports that the message is from the National Security Bureau and states that 0.652 in Bitcoins should be transfered to a specified address (198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv) after which the computer will be unlocked “within 4.5 working days”. It also threatens that a warrant for arrest will be issued with a penalty of up to 5 years in prison if the sum is not paid. The message is ofcourse false and is a campaign designed to extort money from unfortunate victims.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Crypted.A_21 (Trojan)
  • GAV: Obfus.3_2 (Trojan)
  • GAV: Virut.CM (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
MiniDuke: Multi Component info-stealer spreads via Social Engineering
Gandcrab Ransomware actively spreading in the wild
Samsung Kies Remote Command Execution (Oct 26, 2012)
Punkey: New POS malware
Yimfoca Worm Spreading in the Wild (Jan 4, 2011)
Hackers continue to mount attacks on Webmin servers
Rise in Zeus spam campaigns (July 30, 2010)
MySQL GRANT Query Buffer Overflow (Dec 6, 2012)