VirLocker Generation 8

/in /by

Overview:

SonicWall Capture Labs Threat Research Team, recently found, “VirLocker Generation 8” also known as “VirLock”, and “VirRansom”. This variation, has been updated with many new techniques and anti-debugging routines that make it even harder for the “Security Researcher” to see the actual core code behind many layers of xor decryption routines, metamorphic and polymorphic code.

Ransomware variants such as this one and others are making security vendors, “stop and think”, about how next to generate different kinds of techniques to stop, detect and track this type of malware. Many are offering solutions such as artificial intelligence but no matter how much time we invest into new techniques and tools. The attackers are always ahead, creating new ways to slow down the anti-virus detection and removal process.

The protection methods added to Virlocker are making any clean-up attempt challenging. Just like past infections of Virlocker, the disinfection process for this virus involves locating the keys inside the malware then unwrapping the core ransomware like an onion, layer by layer until you reach the file that has been infected. Once the file is located you can strip the original file out.

Payment:

How to pay a fine:

Find nearest ATM:

Online Exchanges:

Internet Browser:

Notepad:

Control-Alt-Delete No Longer Works:

Sample Static Information:

Hash Information:

Entropy of Sample:

Folder & File Locations:

C:\Users\NAME\gKsQkYEI\SuEcwMMM:

C:\ProgramData\akQwwoYc\RAQAAwwl:

C:\Users\NAME\gKsQkYEI\SuEcwMMM.exe:

C:\Users\NAME\AppData\Local\Temp\cUEkQMks.bat:

Shim Database:

Unpacking The Sample:

Unpacking this sample is relatively harder than all of the other Virlocker generations. This is due to the added multiple layers of encryption used in the initial cryptor stub. The cryptor stub in this sample is very small. This gives the sample a higher entropy rating that can be seen above. The stub will start out with a smaller initial decryption routine which will lead into an intense anti-debugging loop that will trip up the “Security Researcher” for a few hours.

After the initial decryption, you will see the following anti-debugging loop.

See the big “BLUE” line? This anti-debugging loop will only execute one line of the core malware code each iteration.

This one line of code will change and execute over a million times creating the next set of decryption stubs and metamorphic code to follow. Once you fight your way through the decryption and metamorphic stubs. You have the sample unpacked. If you have trouble, check our last Sonic Alert: “JPMORGAN CHASE NYSE: JPM, PAYMENTECH, BITCOIN RANSOMWARE” which covered an earlier version of Virlocker.

The unpacked binary will produce some interesting strings such as “Islam materials”, “extremist materials” and “Operation Global 3”. The Unicode strings are also translated in German, English and Spanish throughout Ida Pro.

Strings 1:

Strings 2:

Strings 3:

Strings 4:

Supported Systems:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

Summary:

  • Attaches the core malware code into the infected file.
  • Has the ability to append, prepend, or save the core injection inside a random cavity
  • Maintains persistence with: Run Registry Keys, Scheduled Tasks, Startup Folder, and Shim Database.
  • Infected file is hard to restore. This involves peeling away the metamorphic code to gain access to the deeply embedded key.
  • Holds your computer for ransom.
  • Uses cryptocurrency, such as bitcoins for it’s payment model.
  • Virlocker is a File Infector and Screen Locker.
  • Uses a metamorphic engine with polymorphic routines and various xor encryption and decryption routines.

SonicWall, Signature Hit Graph:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Virlock.J (Trojan)

Cyber Security News & Trends – 04-05-19

/0 Comments/in /by

This week, Golroted malware is up to new tricks, SonicWall Hosted Email Security gets its stars, nefarious PDFs and Office files are running wild, and the classic board game ‘Risk’ foreshadows today’s cyber arms race.

SonicWall Spotlight

That Word Document You Just Downloaded Might Contain Malware – Verdict UK

  • SonicWall identifies malware in Microsoft Word, Microsoft Excel and Rich Text Format (.RTF) files, including the first known case of Golroted being spread through trusted file types.

Document-based Malware on the Rise, Businesses Warned – ComputerWeekly

  • More malware is hiding in PDF and Office files. ComputerWeekly investigates the growing threat while poring through data from the new 2019 SonicWall Cyber Threat Report.

SonicWall Hosted Email Security Garners 5-Star Rating – SC Magazine

  • “If safeguarding your network with the latest protection is something that you aspire to have, then SonicWall’s Hosted Email Security or Email Security Appliance should be on your shortlist of products to consider.”

What Does SonicWall’s New UK Boss Have in Store for the Channel? – CRN

  • SonicWall regional director Helen Jackson outlines the company’s enterprise expansion in the U.K.

Don’t Have a Risk(y) Defense Against Malware, Ransomware – SonicWall Blog

  • SonicWall’s Scott Grebe recalls his love for the classic board game ‘Risk’ and how its mechanics sometimes mirror today’s cyber threat landscape.

A Review of SD-Branch and its Progression from SD-WAN – TechTarget

  • In an exploration of SD-WAN technology, SonicWall is mentioned as one of the growing number of vendors to integrate the software-defined capabilities into its firewall offerings.

Cyber Security News

Cyberattacks ‘Damage’ National Infrastructure – BBC

  • New Ponemon Institute study reveals that cyberattacks against network infrastructure have successfully taken systems offline during the last two years.

Georgia Tech Cyberattack Exposes Data of 1.3 Million People – Dark Reading

  • An attacker infiltrated a central Georgia Tech database and made off with personal information on up to 1.3 million current and former faculty, students, staff and applicants.

Hospital Viruses: Fake Cancerous Nodes in CT Scans, Created by Malware, Trick Radiologists – The Washington Times

  • Israeli researchers authored malware to put the spotlight on security weaknesses in medical imaging equipment and networks.

New York Capital Hit by Ransomware Attack, Taking Services Offline – CNET

  • The city of Albany, New York, announced it was the victim of a ransomware attack, taking down several city services.

Why Phishing Emails Are Still Your Biggest Security Nightmare – ZDNet

  • According the 2019 Cyber Security Breaches Survey published by the UK government, the most common type of cyberattacks are phishing attacks, whether through fraudulent emails, or being directed to fake websites.

Apple Card, ASUS Live Update Backdoor, Statistics on Malware Attacks – Security Boulevard

In Case You Missed It

On-Demand Webinar: The State of the Cyber Arms Race

/0 Comments/in /by

There are two kinds of cybersecurity enthusiasts in this world.

Person 1: I anxiously set my alarm to be the first one to download the new 2019 SonicWall Cyber Threat Report. I await its glorious arrival every spring and have already read it cover-to-cover 34 times. What else can I learn?

Person 2: I, too, value the actionable cyberattack intelligence and research from SonicWall Capture Labs threat researchers. I downloaded it (hopefully), but just haven’t had a chance to absorb all it has to offer. I need more.

SonicWall obviously supports both approaches, but we know different types of people digest content in different ways.

For this reason, we hosted an exclusive webinar that explored the key findings, discussed intricacies of the data, provided updates and answered many questions.

Watch the on-demand replay to learn about the findings, intelligence, analysis and research from the 2019 SonicWall Cyber Threat Report.

The exclusive session, The State of Cyber Arms Race: Unmasking the Threats Coming in 2019,” will help you improve your security preparations and posture through 2019 and beyond. Pro tip: Download the full report now so you’re primed for the webinar.

Hosted by SonicWall’s John Gordineer, the convenient 60-minute webinar explored the complete report, which covers key trends and findings from 2018, such as:

  • Global Malware Volume
  • UK, India Harden Against Ransomware
  • Dangerous Memory Threats & Side-Channel Attacks
  • Malicious PDF & Office Files Beating Legacy Security Controls
  • Attacks Against Non-Standard Ports
  • IoT Attacks Escalating
  • Encrypted Attacks Growing Steady
  • Rise & Fall of Cryptojacking
  • Global Phishing Volume Down, Attacks More Targeted

About the Presenter

John Gordineer
Director, Product Marketing

John is responsible for technical messaging, positioning and evangelization of SonicWall network security, email security, and secure remote access solutions to customers, partners, the press and industry analysts. John has more than 20 years of experience in product marketing, product management, product development and manufacturing engineering. He earned a bachelor’s degree in Industrial Engineering from Montana State University.

Malicious MS Office files are spreading Gorloted malware

/in /by

SonicWall CaptureLabs Threats Research Team identified a new wave of malicious Office files being distributed via phishing emails which are downloading malware belonging to Gorloted Family. We are observing MS-Excel, MS-Word and RTF files are used to spread the malware. VBA Macro code is used to download and execute the Golroted sample.

URL from where the malware is downloaded is stored in the file in an encrypted form which is decrypted by the macro. In MS-Word file, encrypted data is stored as ActiveDocument variable whereas in MS-Excel file, encrypted data stored in one of the Cells above 100 as shown below:


Fig-1: Encrypted data in a MS-Excel file

Malicious Document file has an embedded image and will appear  as shown below:


Fig-2: malicious MS-Word file

To evade detection and deceive userRTF file which carries one or more malicious MS-Excel files is also used to spread this malware. The RTF file will look as shown below:


Fig-3: RTF File

Some clean macro code has also been added to the malicious macro as shown below which could confuse a researcher.


Fig-4: Macro code

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: MalOffice.G1 (Trojan)
  • GAV: MalOffice.G2 (Trojan)
  • GAV: MalOffice.G3 (Trojan)
  • GAV: MalOffice.G4 (Trojan)
  • GAV: MalOffice.G5 (Trojan)
  • GAV: MalOffice.G6 (Trojan)

This threat is detected pro-actively by Capture ATP w/RTDMI.

Indicators Of Compromise:

Presence of following hash:

  • 13b5c846b4ce31b735ce0372c7330013c8aa452bb0adf997c37717f45c349dd9
  • 1156c1ac3a8539c79f9dcdb0d19ae39d8fac1a6b542b0c416b25fbf996e234fc
  • 6978b5cdd6ff1ac103cda630e59a24adf667c9b1a7951928d56b7ed491e79bb4
  • 31133e3b2e9c7f39f50caf2d819ab13d534b6ab2f273b599753656b16c14ae28
  • 66362b4325aafbc039b0439a787571f876f48b5ca7a3b9034a4c8179674f5d55
  • ec0fc300ba7803b7f0da28d8b9a7d022848e3fe9f236550b17d2d1f34cd8a2cf
  • f22224c620b76d17c5c784945082c37a5669d8c6d2bd7fb7a6cd6e796ffc7051

Network traffic to following URLs:

  • http://stores.kay[removed]cal.com/desket.exe
  • http://pasta[removed]om.au/test2/stati/book.exe
  • https://treassur[removed]rg/quadrant/flames.exe
  • http://inves[removed]olutions.us/file/FILE.exe
  • http://joec[removed]ra.biz/memo.exe
  • https://oga[removed]u.in/okay.exe
  • https://dre[removed]co/bin/shit.exe

Don’t Have a Risk(y) Defense Against Malware, Ransomware

/0 Comments/in /by

Playing board games, no matter your age, can be a lot of fun. ‘Risk’ was always a favorite growing up. My friends and I would argue with each other over which country to attack … or not attack.

The modern-day cyber threat landscape is similar in some ways. As outlined in the new 2019 SonicWall Cyber Threat Report, certain countries are subjected to more malware and ransomware attacks than others. And, like Risk, there are definitely ramifications for not investing in proper defenses or leaving valuable assets unguarded.

For example, for the third consecutive year, global malware attacks increased in 2018. While the number attacks briefly decreased in 2016, volume has grown 33 percent since. Last year, SonicWall recorded the largest number of malware attacks the company has ever seen — more than 10.52 billion.

Interestingly, the number of unique malware samples decreased in 2018 compared to 2017. This likely indicates a rise in malware variants, an increase in the number of cybercriminals launching attacks or both.

U.S., China Top Malware Targets in 2018

Back to the original question I posed: which countries face the most malware attacks? In 2018, the U.S. saw nearly 5.1 billion malware attacks, almost half of the overall 10.5 billion mentioned earlier. In comparison, the next four were China (601.6 million), the U.K. (584 million), Canada (432 million) and India (412 million).

Ransomware Attacks Up in U.S.; Volume Down in India, U.K.

Like malware, ransomware volume also spiked in 2018 with an 11 percent increase in the number of attacks globally over 2017. The total number of attacks topped 206 million with familiar names such as WannaCry, Cerber and Nemucod at the top of the list.

So, who were the top targets for ransomware attacks in 2018? Following the malware trend, the U.S. was the most targeted country with 90 million ransomware attacks, followed by Canada (24 million. Germany and Brazil were next with 9.9 and 8.6 million ransomware attacks, respectively. Interestingly, the U.K. and India both saw decreases in ransomware last year.

Among victims who chose to pay the ransom, the price tag to get the decryption key was just over $6,700 (USD) per incident in the fourth quarter of 2018, according to a report by BankInfoSecurity. Linking ransomware to financial impact is difficult, however. Many organizations, particularly larger enterprises, fear damage to their business relationships, reputation or brand.

Bitcoins, which were highly valued in 2017 but dropped in price in 2018, were still the cryptocurrency preferred by cybercriminals last year. With bitcoin prices dropping substantially over the past 15 months, however, cybercriminals started demanding a specific dollar amount in bitcoin instead of a fixed number of the cryptocurrency. In other words, “I want $6,000 in bitcoin, not five bitcoins.”

Other popular ransomware attacks included ransomware-as-a-service which is a form of software-as-a-service for cybercriminals, ransomware construction kits and fake ransomware.

Effective Malware & Ransomware Protection

With the number of malware and ransomware attacks continuing to rise, it’s imperative you have a comprehensive cybersecurity strategy in place, including sound ransomware protection.

SonicWall recommends a layered approach to network defense, which should include next-generation firewalls, the multi-engine Capture Advanced Threat Protection (ATP) sandbox service, secure email and cloud application security for SaaS applications like Office 365 and G Suite.

Norsk Hydro suffers $40M+ in damages from LockerGoga ransomware attack

/in /by

Norsk Hydro, one of the largest aluminum producers in Norway have been hit by ransomware known as LockerGoga. The financial damage to the company is severe and is reported to exceed $40M. After temporarily shutting down operations, some areas of the company have switched to manual mode and are reportedly slowly recovering. Norsk Hydro is not the only company reported to have been hit by this ransomware. Back in late January 2019 the ransomware was reported to have been used in an attack against French engineering consulting firm Altran Technologies.  Although the internals of the malware are unsophisticated, the damage can be catastrophic if planted strategically and targeted toward high profile businesses.

Infection Cycle:

Upon execution, the User Account Control dialog displays the following information showing ALISA LTD as the “Verified publisher”.  It has a properly signed and valid certificate:

 

Embedded in the executable file is the following script:

 

The executable file also contains a list of file types to encrypt.  It is evidently aimed at businesses as it focuses primarily on Documents, spreadsheets and database files:

 

It encrypts files on the system and gives each encrypted file a .locked extension.  In addition to the above filetypes, other filetypes such as .exe.dll and .inf are also encrypted.

 

During the infection process there is reasonably high CPU usage from multiple copies of tgytutrc776.exe (copy of original file).  Multiple copies are used in an effort to speed up the encryption process:

 

The trojan drops the following readme file onto the system:

%PUBLIC%\Desktop\README_LOCKED.txt

We reached out to the operators via the provided email addresses but are yet to receive a reply.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: LockerGoga.RSM (Trojan)
  • GAV: LockerGoga.RSM_3 (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.