During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Nemucod, a malicious JavaScript that usually arrives as a .zip attachment and tries to download other malware. Nemucod is known to download threats such as Fareit, CryptoWall, and others. However, we have now observed that Nemucod is downloading new variants of TeslaCrypt, a file-encrypting ransomware discovered in early 2015.
Initially, TeslaCrypt infected systems from a compromised website, using AES encryption and demanding a ransom to decrypt the files. It redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015). McAfee Labs blogged about that variant in March 2015.
As expected, the attackers have now come up with a new twist to step up TeslaCrypt infections through a very strong spam campaign. The attackers are consistently offering more sophisticated malware and social engineering techniques to distribute it. As a consequence, TeslaCrypt has become one of the most prevalent and hazardous threats in circulation.
Nemucod’s spam campaign
The new spam campaign contains a .zip file as an attachment. The .zip contains a malicious JavaScript file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims using social engineering techniques.
The contents of the JavaScript file are highly obfuscated and contain a lot of junk code.
After deobfuscating the contents, the code tries to download an executable from whatdidyaysay.com or iamthewinnerhere.com and stores it in the %TEMP% location.
After Nemucod comes W97M downloader
Just one week after Nemucod, we saw new variants of W97M/Downloader also downloading Teslacrypt. The spam email contains a document file attachment or a .zip attachment containing a document file. Using a fake invoice, attackers try to convince users into opening an attached .doc file.
To an unsuspecting user this email looks like a legitimate urgent notice about an unpaid invoice, but after taking a closer look we realize it could be a phishing email. The macro code inside attached .doc looks like this:
Looking into the new TeslaCrypt
The new variant is TeslaCrypt Version 2.2.0. This version encrypts users’ files and appends the filenames with a .vvv extension. The file extension changes regularly. (The previous version of TeslaCrypt used the file extension .ccc.) TeslaCrypt encrypts files using RSA-4096. The malware also drops two files on the victim’s machine—one plain-text file and an HTML file—containing instructions on how to pay the ransom and receive a decryption key. The ransom message instructs the victim to install the anonymous Tor web browser and visit a Tor website for further instructions.
Let’s dig into the code to understand more about this new version. Upon execution, TeslaCrypt drops and executes a copy in %AppData% directory and deletes itself.
To ensure only one instance is running, the malware creates a mutex as “2134-1234-1324-2134-1324-2134.”
It then sets the EnableLinkedConnections registry to force Windows to automatically make the network drives available to both the standard and administrator accounts. This way, this ransom will be able to search and encrypt files on network drives and shares without any issues.
The malware also creates an autostart registry entry to make sure its copy will be executed upon rebooting.
As with old TeslaCrypt variants, the new one removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (Shadow copy is a technology in Windows that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, TeslaCrypt uses the command “vssadmin.exe Delete Shadows /All /Quiet.” This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.
TeslaCrypt next changes boot configuration data (BCD) by using its command-line tool (bcdedit.exe) to disable some features, so victims will have a hard time restoring or recovering encrypted files. BCD is a firmware-independent database for boot-time configuration data. It performs the following:
- Disables Emergency Management Services (EMS).
- Disables the edit and advanced boot options at startup.
- Disables Windows startup repair and error recovery.
The remote server and configuration details are all encrypted in its body. The ransomware decrypts them first before attempting to connect to them. The following are the decrypted remote URLs found on the sample we analyzed:
- http://atendercrumb.com/wp-content/plugins/theme-check/misc.php
- http://aumentopenis.org/wp-content/plugins/theme-check/misc.php
- http://apiercephoto.com/wp-content/plugins/theme-check/misc.php
- http://austinberean.com/wp-content/plugins/theme-check/misc.php
- http://attlecostumiers.com/wp-content/plugins/theme-check/misc.php
- http://athomegirl.com/wp-content/plugins/theme-check/misc.php
This ransomware created three malicious threads to perform the following:
- Connect to a remote server. It also uses “http://myexternalip.com/raw” to get the user’s external IP.
- Terminate processes containing the following strings:
- “askmg”: task manager process, taskmgr.ex.
- “rocex”: process explorer, processxp.exe.
- “egedit”: registry editor, regedit.exe.
- “sconfi”: system configuration, msconfig.exe.
- “cmd”: command-line tool, cmd.exe.
- Enumerate logical/network drives and shares, and encrypt files.
The malware starts by calling the GetLogicalDriveStringsW API and lists all available drives in the system. It searches for the target files to encrypt in all fixed, network, and removable drives.
It also enumerates all network shares.
Once a resource (drive or share) is available, TeslaCrypt searches for files to encrypt but avoids the following:
- Files from %Windows%, %ProgramFiles%, and %AllUsers% directories.
- Files containing strings such as “recove” and “.vvv” to avoid encrypting the “HowTo_Restore” instruction files and those already encrypted.
TeslaCrypt tries to encrypt files with the following extensions:
Finally, it creates three “Howto_Restore” encrypted files in the %Desktop% directory and pop them on the victim’s screen:
- Howto_Restore_FILES.TXT
- Howto_Restore_FILES.HTM
- Howto_Restore_FILES.BMP
McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious macro, malicious JavaScript, and the TeslaCrypt payload as W97M/Downloader.aht and JS/Nemucod.ao, JS/Nemucod.ap, and Ransom-Tescrypt![Partial hash], respectively, with DAT Versions 8025 and later.
This post was prepared with the invaluable assistance of Rakesh Sharma and Diwakar Dinkar.