BleedGreen FireCrypt Ransomware Kit fails at DDoS (Jan 6th 2017)
The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.
The Kit executable file uses the following icon:
The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:
Infection Cycle:
Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:
- www.pta.gov.pk
It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:
The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256:
The Trojan adds the following files to the filesystem:
- %USERPROFILE%Start MenuProgramsStartupEkstrwhbiMZYosv.exe (copy of original) [Detected as GAV: FireCrypt.A (Trojan)]
- %USERPROFILE%DesktoptFyROkGeXTevLgT-filesencrypted.html
- %USERPROFILE%DesktoptFyROkGeXTevLgT-READ_ME.html
- %USERPROFILE%Local SettingsTempdbgRKSvXIYceWvY-(num).html x453 (where num is a number between 1 and 453)
tFyROkGeXTevLgT-filesencrypted.html contains a list of files that were encrypted by the Trojan.
tFyROkGeXTevLgT-READ_ME.html contains the following message:
As with most ransomware FireCrypt uses Bitcoin as its ransom payment method.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: FireCrypt.A (Trojan)
