Pierluigi Paganini August 04, 2015

The CTB-Locker Ransomware is Back with a Vengeance, the security experts noticed that bad actors Leveraging the Release of Windows 10 as an Attack Vector.

A false sense of hope that the presence, or rather the active spread, of crypto-ransomware in-the-wild has begun to slowly die out has been quickly diminished thanks to the group behind the CTB-Locker ransomware. While ransomware is of course still a huge issue today, the lack of new variants that have been discovered within the past few months may have given analysts and management alike a glimmer of hope.

Unfortunately, cybercrime is growing at an exponential rate; as security professionals, we are constantly playing a game of catch-up with the bad guys.

Let’s face it: wearing a black hat comes with huge risks, but it also is quite profitable. Well-organized cybercrime groups often do very well. This causes a huge headache for security professionals; the malware tied to these more persistent groups is being spread in what seems like a countless number of never-ending campaigns! The CryptoWall ransomware still has the throne; regarding crypto-ransomware, CryptoWall 3.0 has been public enemy number one, with the rapid launching of new campaigns dedicated to spreading this ransomware skyrocketing in number on a daily basis. Recent estimates state that as a collaborative whole, the CryptoWall group has raked in upward of 18 million US dollars.

So with regard to the profitability facet, the distribution of ransomware appears to be quite an attractive field for cyber criminals to get involved in. While CryptoWall certainly remains “the king” right now, another slightly older ransomware variant that wreaked havoc appears to be back, in a big way; yes, CTB-Locker has returned.

Leveraging the Release of Windows 10 as an Attack Vector

The group behind the CTB-Locker ransomware, or at least this particular phishing campaign, leveraged a new tactic that has proven to be extremely effective. Exploiting the human mind by manipulating them to believe that their free “Windows 10 upgrade” that they’ve been waiting so long for has finally arrived. As you may or may not know, Microsoft has released Windows 10 on July 29th, 2015; additionally, they promised a free upgrade to currentWindows 7 and Windows 8 users. The criminals behind this chapter in the ongoing CTB-Locker saga decided to impersonate Microsoft via phishing e-mail, and apparently, their tactics have been quite effective.

As reported by the Cisco Talos Group, the following characteristics describe the phishing e-mails being distributed during this new phishing campaign:

• The e-mail appears to be from (Fromheader) [email protected]
• In one example, looking closer at the headers revealed an IP addressgeolocated in Thailand
• The e-mail body is constructed using similar colors to those that are actually used in some legitimateMicrosofte-mails
• Some characterswithin the e-mails’ body are not being interpreted properly by some browsers (perhaps based on keyboard/language settings)
• In order to gain the trust of the victim, a fake “Disclaimer”type message is appended to the e-mail body to make it appear more legitimate
• A tactic that I have not seen all too much; the inclusion of a fake “message” from an Anti-Virus vendorclaiming that the e-mail attachment has been scanned and is clean of viruses

The malware file itself is delivered via e-mail attachment, compressed within a ZIP archive; the naming convention observed by Cisco, for example, is as follows:

Attachment: Win10Installer.zip
Files within Compressed ZIP Archive: Win10Installer.exe

Additional CTB-Locker Characteristics / Observed Behavior

This should serve as a refresher for the most part, but to recap, here are some of the CTB-Locker characteristics observed and reported by the Cisco Talos Group as a result of their analysis on a sample e-mail / attachment(s) in question (NOTE: Listed below are some of the more “dynamic” or perhaps new(er) components):

• The victim has 96 hoursto pay the ransom
• As commonly observed with ransomware and other prevalent malware today, C2 servers are created/converted via compromised WordPress sites, however, Cisco reported that the sample they analyzed appeared to have hard-coded IP addresseswithin the binary set to connect and communicate on non-standard ports
• Most ports are related to Torcommunication, nevertheless, some ports often used include: 9001, 443, 1443,666
• Additionally, port 21 (FTP)was found utilized as a covert channel for command-and-control communication

Note: The Talos Group also uncovered several pseudo-random domain names when analyzing the binary and its network traffic; however, many if not all of the domains observed were not yet registered, and no DNS queries involving said domains were observed.

Sources

The wealth of information and awesome analysis performed by Cisco’s Talos Group provided the fuel and information required to put this article together.

About the Author Michael Fratello

Edited by Pierluigi Paganini

(Security Affairs – CTB-Locker, ransomware)