Fessleak: The Zero-Day Driven Advanced RansomWare Malvertising Campaign

By
Feb 4, 2015

Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com.  You can be checking out someone’s “Granny opening a new iPhone video” when you are suddenly confronted with a full screen announcing all your files and photos have been one-way encrypted and to get them back you have to pay a bitcoin ransom to a criminal organization.  There may be no worse feeling in the digital age than having all your personal files, family albums, and work encrypted and held for a ransom.

Although ransomware has been in the news since CryptoLocker (CriLock) made its debut, we continue to see new innovations in ransomware.  More advanced versions now use file-less infections and communicate via the Tor network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis.

Ironically, it is this virtual machine check that sends the advanced Ransomware Malvertising running when it detects the Invincea Virtual Container on an endpoint.  Cisco has an excellent blog post here that discusses the Virtual Machine detection in CryptoWall 2.0.

We take a look at two examples of Ransomware- Kovter, which does not check for virtualization, and Russian File-less ransomware, likely run from the Hanjuan exploit kit, which does check for virtualization, and fails to execute when it detects Invincea.

Kovter Example

A recent malvertising infection from Kovter on New Year’s Eve, dropped by fox2now.com (see below), produced the following:

grandma-iphone

analysis-1

As you can see above, multiple advertising redirects ultimately sent the endpoint to several Polish websites that hosted an exploit kit to drop Kovter under the name ‘fixutil.exe’.  The fixutil.exe shows up here on VirusTotal and many AV vendors agree on the Kovter designation.

analysis-2

FessLeak Malvertising

Next is an example of the new file-less flash malvertising dropped  by Russian criminals via a real time ad bidding network.  This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery.  In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped  advanced ransomware.  You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe.  Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions.

fessleak-malvertising

 

chalie-huffington

We can look at Whois and owner of estuty.com to determine that this is the Fessleak variant of this malvertising.  First, you will see that this domain was registered and employed on the same date as the malware delivery:

whois-1

Next, you will see that the owner information, likely forged, Michael Zont, with an email address of fessleak@qip.ru. Qip.ru is a free email platform, similar to Hotmail.

whois-2

Dozens of other observed domains registered to Fessleak have engaged in the delivery of this advanced ransomware.  A Google search for the email address returns dozens of malicious domains, most of which are only ever used for a few hours before the name resolution is pulled.

In summary, Invincea protected endpoints are immune to the Fessleak and other malvertising attacks, not just because they can detect our container running, but because any process that attempts to break from a browser to the local system is automatically blocked.  File-less attacks, buffer overflow exploits, zero-day Flash exploits, weaponized documents and more are all defeated by Invincea FreeSpace.

Use of Adobe Zero Day Exploits

In what appears to be a response to a recent Microsoft Patch, the Fessleak threat actor has stopped using file-less Flash to deliver his ransomware.  Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files.  At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection.  See the screenshot below of Mapquest.com dropping malvertising infections.

mapquest-icacls

While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware.  Kafeine from malware.dontneedcoffee.com notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311.  His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here.

TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, retilio.com was seen to use the same zero-day in this blog post here.

Below shows that Invincea has been tracking this threat actor for months.

Date Domain Malvertised on:
Oct 17, 2014 216.157.99.23 webmail.nc.rr.com
Oct 22, 2014 216.157.99.25 Lucianne.com
Oct 29, 2014 216.151.221.212 Vyped.com
Nov 2-11, 2014 chebroom.com* Mail.twc.com
lucianne.com
huffingtonpost.com
Photobucket.com
DNSrsearch.com
RT.com
answers.com
CBSsports.com
HowtoGeek.com
fark.com
inquisitr.com
viewmixed.com
Nov 12-14, 2014 Kenthopm.org Hrtwarming.com
thesaurus.com
Nov 19, 2014 vectallies.org Mail.twc.com
Nov 21-24, 2014 hevpazana.org Answers.com
dictionary.reference.com
techeblog.com
Dec 10-11, 2014 labutinra.org Dictionary.reference.com
POF.com
mail.twc.com
webmail.nc.rr.com
Windstream.net
theweek.com
Cleveland.com
pottsmerc.com
jpost.com
earthlink.net
motherjones.com
styleblazer.com
inquistr.com
pjmedia.com
Dec 12, 2014 Sailinganarchy.com
mjsbigblog.com
Dec 21, 2014 pinkavuz.org Worthly.com
Dec 25-26, 2014 beatrinko.org Thehulltruth.com
answers.com
Windstream.net
Dec 27, 2014 vemisaio.org Sailinganarchy.com
nydailynews.com
dictionary.reference.com
answers.com
Dec 28, 2014 zhonte.org News.com.au
match.com
mail.twc.com
Dec 29, 2014 binachio.org Answers.com
realtor.com
opposingviews.com
dailysanctuary.com
uticaod.com
Dec 31, 2014-Jan 1, 2015 zarafint.org Answers.com
webmail.nc.rr.com
mail.twc.com
Jan 3, 2015 landors.org Photobucket.com
Jan 4, 2015 tesuin.org Pof.com
nj.com
Jan 5, 2015 rliner.org Search.aol.com
realtor.com
photobucket.com
Jan 8, 2015 litpou.org Cinemablend.com
popularmechanics.com
Jan 9, 2015 fersob.org Webmail.windstream.net
Jan 11, 2015 estuty.com Huffingtonpost.com
Jan 12, 2015 ontiq.com Thehouseofsmiths.com
webmail.earthlink.net
mail.twc.com
Jan 13, 2015 deinq.com Mapquest.com
Jan 14, 2015 ermuz.com Dictionary.reference.com
Jan 20-21, 2015 azurf.org Webmail.nc.rr.com
pof.com
webmail.windstream.net
Jan 27, 2015 relom.org Noodlenuke.com
Jan 28, 2015 retilio.com** Worthly.com
webmail.nc.rr.com
chowhound.chow.com
100gateswalkthrough.com
Jan 29, 2015 uvreno.com Sailinganarchy.com
Feb 2, 2015 64.34.127.86 Theblaze.com
realtor.com
webmail.nc.rr.com
thesaurus.com
Feb 3, 2015 64.34.127.134 answers.com
Feb 3, 2015 tunim.net Thebrofessional.net

* First use of registered domain to fessleak@qip.ru
** Domain first observed by Trendmicro

It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it.

Whether Fessleak has been using zero-day exploits all along is indeterminate- Invincea doesn’t differentiate between zero-day exploits or known vulnerabilities when it stops attacks.  But if zero-day exploits were indeed used, it simply means that Invincea protected hosts have thwarted Fessleak’s campaign.  Other security wonks and anti-virus vendors are urging users to turn off Flash until it can be patched.  But Invincea FreeSpace users don’t have to scramble to disable plugins, switch browsers and find patches.  We protect them, even in the face of stacks of zero days.

 fessleak-infographic-PSD-2-5-15_v2

You may also be interested in...

Attackers are Cashing In on Ransomware

read more

Ovum On The Radar Report: Invincea is a Key Player in Endpoint Protection

read more

Invincea Labs: FireEye FLARE On 2016 Challenges Write Up (Pt. 1)

read more