Chimera Ransomware uses Bitmessage over TOR (Oct 23, 2015)
Ransomware infections have shown no signs of slowing down. The most prevalent of all which belongs to a malware family called, Cryptolocker has proven to be persistent and adaptive; creating new variants and targeting different groups over time.
The Dell SonicWALL threats research team has received reports of a ransomware Trojan calling itself Chimera malware and appears to be targeting users in the German-speaking countries. Cryptolocker, which heavily targeted the US and UK in its previous iterations, arrives as an email attachment purporting to be an important document and this ransomware is no different.
Figure 1:Trojan purporting to be a fake document file
Infection Cycle:
Upon execution the malware injects itself into the legitimate explorer.exe and makes the following connection to know the IP address of the victim machine:
Figure 2: Connecting to whatsmyipaddress.com shows the IP of the infected machine
Figure 3: Explorer.exe making malicious outbound connections
The malware then connects to several hostnames in the Tor Network. The following are just some of the hosts which this Trojan connected to during our analysis:
- cpe-158-222-211-81.nyc.res.rr.com
- lh28409.voxility.net
- tor-exit6-readme.dfri.se
- lumumba.torservers.net
- 94x180x111x83.static-business.nsk.ertelecom.ru
- host-084-246-200-122-adsl.wimanx.com
- 96-8-160-155.block0.gvtc.com
- 84-73-127-55.dclient.hispeed.ch
- cpe-74-128-68-239.kya.res.rr.com
- ppp95-165-168-168.pppoe.spdop.ru
- 253.74.151.27.broad.fz.fj.dynamic.163data.com.cn
- mm-173-84-125-178.mfilial.dynamic.pppoe.byfly.by
- tor-exit-node.dnslab.nl
- pD9F8C9BA.dip0.t-ipconnect.de
This variant of ransomware not only connects to different hosts in the Tor Network but also uses PyBitmessage to send encrypted messages and keep the identities of the sender and receiver secure and hidden from wiretapping systems.
Figure 4: Trojan sending encrypted message using Bitmessage over TOR
The Trojan encrypts files with extensions such as .js, .da,. .ini, .html, .xml, .jpg, .txt, .doc, .xls, .wma, .mpg, among others. It appends “.crypt” to the extension of the file to denote being encrypted and also drops an HTML file “YOUR_FILES_ARE_ENCRYPTED.HTML” to all the directories where encrypted files are found.
Figure 5: Sample of encrypted picture files with the “.crypt” extension
The Trojan also creates a copy of the file “YOUR_FILES_ARE_ENCRYPTED.HTML” to the Startup directory to ensure this message appears on reboot:
Figure 6: Chimera Malware warning and instructions on how to pay
The victim is given no deadline on when he can send bitcoin payments to decrypt his files but is threatened with a warning that his private data, photos and videos will be posted online if no payment has been made.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Chimera.RW (Trojan)
