By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek)
In the McAfee Labs Threats Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust.” Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015. There was, however, one notable exception: ransomware.
The preceding figure provided a respite against the threat of ransomware, but as foreseen in the McAfee Labs Threats Predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”
For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) now distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Details
“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files on the target system.
It copies itself to the following folder:
- %temp%< 7 random characters>.exe
- %temp%\wkqifwe.exe
It also creates a job task containing seven random characters:
- %windir%\Tasks\cderkbm.job
The following registry keys are added to the system:
- %ALLUSERSPROFILE%\Application Data\Microsoft\<7 random characters>
It injects code into svchost.exe, and svchost.exe will launch files from the following:
- %temp%\<7 random characters>.exe
The code injected into svchost.exe will encrypt files with the following extensions:
- .xls
- .ppt
- .txt
- .py
- .wb2
- .jpg
- .odb
- .dbf
- .md
- .js
- .pl
Once a system is infected, the malware displays the following image:
The newly created process creates a mutex named:
- \BaseNamedObjects\lyhrsugiwwnvnn
An interesting angle in this new round of Backdoor-FCKQ malware is the use of the well-known downloader Dalexis. There are several versions of this downloader. A simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent antispam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.
The function of the downloader is to download additional malware from certain locations, unpack the Xor-coded malware, and execute it. In this case the additional malware, the CTB, was packed in the file pack.tar.gz:
Figure 1: pack.tar.gz.
As we can see from the preceding screenshot, there’s no file header present that represents a known file type. For example, if this were an executable file, the first two characters (aka the magic number) would have been “MZ.” This is one of the ways in which malware authors try to circumvent gateway detection of malware. Some other tricks we have seen frequently recently is to put the payload of the malware on Pastebin or Github.
In this case, pack.tar.gz used different XOR keys to encrypt parts of the file. Once this puzzle was cracked, the unpacked code of Backdoor-FCKQ is revealed:
Figure 2: Unpacked code of Backdoor-FCKQ.
With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, we immediately recognized code parts.
As a quick Yara detection rule, the following can be used:
Bitcoin trail
While tracing the Bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.
Removal
All users: Use current engine and DAT files for detection and removal.
Modifications made to the system registry and/or INI files to hook system start-up will be successfully removed if cleaning with the recommended engine and DAT combination (or later versions).
A special thanks to Sanchit Karve for his assistance in the analysis.
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
