We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.
A sample spam email may look like this:
We analyzed XTBL and found it does the following:
- Encrypts and deletes all user files including executables.
- Deletes all backup copies.
- Adds self-copies for rerunning.
- Demands ransom.
After its activity, XTBL sets wallpaper as below:
Analysis
In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.
This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:
- RSA key size (first 4-byte group).
- RSA key followed by key size.
- RSA exponent:
- Mail ID, where all information is sent:
- “Magic” number used:
- 006VGL (6 bytes). We have observed that each variant uses a different magic number though the pattern remains same, for example, 00{number}[A-Z]{3}.
- Name of mutex created:
- Global\snc_{filename}
- Path to exclude from encryption:
- %windir%
- Files to exclude from encryption:
- Svchost.exe
- Explorer.exe
- Boot.ini
- Name of dropped components:
- How to decrypt your files.txt.
- DECRYPT.jpg
- %desktop%\Log.txt
- For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:
- Software\Microsoft\Windows\CurrentVersion\Run
It also sends 159 bytes of data to the host:
This data contains the victim’s computer name, globally unique identifier, user ID, and magic number:
This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:
- Traversing directory
- Renaming file
- File encryption
- Deleting original file
This ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique.
We found several steps for encrypting files.
Key generation
20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:
The key is generated:
- Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)
- Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)
- Dword_42C0AC = Dword_42C0A8 ^ rand ()
- Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0
The key may look like this:
The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.
These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.
To summarize, key is generated using following pseudocode:
- Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])
- Key = RC4(md5(Data),Data)
The key is encrypted using an RSA key in the configuration information.
File encryption
Files are encrypted using the AES256 algorithm.
Original files will be deleted after encryption and encrypted files will be renamed as follows:
- Filename.ID{Id}.mail_address.XTBL
Each of the encrypted files is appended with data that holds some important fields:
- Encrypted filename
- Magic number (6 bytes)
- Randomly generated initial vector for each file (10 bytes)
- Padding (10 bytes)
- RSA block (80 bytes)
List of Domains
- bebgimeozel.com
- dd24.net
- rrpproxy.net
- key-systems.net
- tuginsaat.com
How to prevent this infection
We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.
McAfee products detect these XTBL variants as Ransom-XTBL-FUL!<partial-md5> and Ransom-XTBL-FUM!<partial-md5>.
This post was prepared with the invaluable assistance of Rakesh Sharma and G N Sivagnanam.
Analyzed samples (SHA-1)
- E3AA4A3882FED182986A642F05B3711156CA5354: injected component
- A07A1660EBD71BFF4B640665208D2ADE51791E69: attachment