This post was written by Sriram P. and Varadharajan Krishnasamy.
TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware:
- W97M/Downloader
- JS/Nemucod
- Angler exploit kit
- Neutrino exploit kit
- Generic downloaders
Last week, McAfee observed a novel approach in downloading TeslaCrypt using the Neutrino exploit kit.
Like other exploit kits, Neutrino redirects users to a malicious landing page that hosts exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of spam campaign.
Once successful, the exploit kit delivers a Trojan downloader and executes it on the victim’s machine. The payload then starts generating random domain names and contacts a remote server with the following parameters.
The variable “_wv=” is assigned to the Base64 text string “ZW50ZXI=” which decodes to the command “enter.”
The server responds with a 404 error page. The response for the command “enter” is present in the comments section of the HTML page, which is again a Base64-encoded (<!—c3VjY2Vzcw==—>) text that decodes to the response “success.”
Upon receiving the success message, the malware responds with the same cookie-auth browser agent, along with a reply containing an encoded data.
The encoded data has the following format:
cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>
The compromised machine receives another 404 error page along with a download link that delivers a TeslaCrypt variant from the remote server.
The decoded comments section has the following format:
<random ldap timestamp>#<>#<>#LOADER hxxp://103.*****.148/*****.exe#
After successful execution, TeslaCrypt encrypts files in the victim’s machine and demands money to decrypt them.
We have seen the following domain names associated with this malware:
- nutqauytva100azxd.com
- nutqauytva11azxd.com
- nutqauytva513xyzf11zzzzz0.com
- nutr3inomiranda1.com
- nutqauytva9azxd.com
These domains are already flagged by McAfee SiteAdvisor as malicious.
How to prevent this infection:
- In spite of the availability of patches for known vulnerabilities such as CVE-2015-2419, CVE-2015-7645, and others, this exploit kit still targets these weaknesses. McAfee recommends users install the latest patches for Internet Explorer, Adobe Flash, etc.
- We advise all users to be extra careful when opening unsolicited emails and clicking unknown links.
- We strongly advise all users to block the preceding domain names.
McAfee products detect these TeslaCrypt variants as “Ransom-Tescrypt!<Partial hash>.”