Ransomware Variant XTBL Another Example of Popular Malware

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.

A sample spam email may look like this:

spam_xtbl

We analyzed XTBL and found it does the following:

  • Encrypts and deletes all user files including executables.
  • Deletes all backup copies.
  • Adds self-copies for rerunning.
  • Demands ransom.

After its activity, XTBL sets wallpaper as below:


screen_xtbl

Analysis

In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.

injected_xtbl

This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:

  • RSA key size (first 4-byte group).
  • RSA key followed by key size.

rsa_xtbl

  • RSA exponent:

rsaexponent_xtbl

  • Mail ID, where all information is sent:

mailaddr_xtbl

  • “Magic” number used:
    • 006VGL (6 bytes). We have observed that each variant uses a different magic number though the pattern remains same, for example, 00{number}[A-Z]{3}.
  • Name of mutex created:
    • Global\snc_{filename}
  • Path to exclude from encryption:
    • %windir%
  • Files to exclude from encryption:
    • Svchost.exe
    • Explorer.exe
    • Boot.ini
  • Name of dropped components:
    • How to decrypt your files.txt.
    • DECRYPT.jpg
    • %desktop%\Log.txt
  • For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:
    • Software\Microsoft\Windows\CurrentVersion\Run

It also sends 159 bytes of data to the host:

postdata_xtbl

This data contains the victim’s computer name, globally unique identifier, user ID, and magic number:

datasent_xtbl

This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:

  • Traversing directory
  • Renaming file
  • File encryption
  • Deleting original file

This ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique.

createfile_xtbl

We found several steps for encrypting files.

Key generation

20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:

key_gen_xtbl

The key is generated:

  • Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)
  • Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)
  • Dword_42C0AC = Dword_42C0A8 ^ rand ()
  • Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0

The key may look like this:

key_xtbl

The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.

md5_xtbl

These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.

To summarize, key is generated using following pseudocode:

  • Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])
  • Key = RC4(md5(Data),Data)

The key is encrypted using an RSA key in the configuration information.

 

File encryption

Files are encrypted using the AES256 algorithm.

aes_256_pseudo_xtbl

Original files will be deleted after encryption and encrypted files will be renamed as follows:

  • Filename.ID{Id}.mail_address.XTBL

encrypted_file_xtbl

Each of the encrypted files is appended with data that holds some important fields:

  • Encrypted filename
  • Magic number (6 bytes)
  • Randomly generated initial vector for each file (10 bytes)
  • Padding (10 bytes)
  • RSA block (80 bytes)

encrypted_footer_xtbl

List of Domains

  • bebgimeozel.com
  • dd24.net
  • rrpproxy.net
  • key-systems.net
  • tuginsaat.com

How to prevent this infection

We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.

McAfee products detect these XTBL variants as Ransom-XTBL-FUL!<partial-md5> and Ransom-XTBL-FUM!<partial-md5>.

This post was prepared with the invaluable assistance of Rakesh Sharma and G N Sivagnanam.

 

Analyzed samples (SHA-1)

  • E3AA4A3882FED182986A642F05B3711156CA5354: injected component
  • A07A1660EBD71BFF4B640665208D2ADE51791E69: attachment

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top