Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com. You can be checking out someone’s “Granny opening a new iPhone video” when you are suddenly confronted with a full screen announcing all your files and photos have been one-way encrypted and to get them back you have to pay a bitcoin ransom to a criminal organization. There may be no worse feeling in the digital age than having all your personal files, family albums, and work encrypted and held for a ransom.
Although ransomware has been in the news since CryptoLocker (CriLock) made its debut, we continue to see new innovations in ransomware. More advanced versions now use file-less infections and communicate via the Tor network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis.
Ironically, it is this virtual machine check that sends the advanced Ransomware Malvertising running when it detects the Invincea Virtual Container on an endpoint. Cisco has an excellent blog post here that discusses the Virtual Machine detection in CryptoWall 2.0.
We take a look at two examples of Ransomware- Kovter, which does not check for virtualization, and Russian File-less ransomware, likely run from the Hanjuan exploit kit, which does check for virtualization, and fails to execute when it detects Invincea.
A recent malvertising infection from Kovter on New Year’s Eve, dropped by fox2now.com (see below), produced the following:
As you can see above, multiple advertising redirects ultimately sent the endpoint to several Polish websites that hosted an exploit kit to drop Kovter under the name ‘fixutil.exe’. The fixutil.exe shows up here on VirusTotal and many AV vendors agree on the Kovter designation.
Next is an example of the new file-less flash malvertising dropped by Russian criminals via a real time ad bidding network. This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery. In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped advanced ransomware. You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe. Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions.
We can look at Whois and owner of estuty.com to determine that this is the Fessleak variant of this malvertising. First, you will see that this domain was registered and employed on the same date as the malware delivery:
Next, you will see that the owner information, likely forged, Michael Zont, with an email address of email@example.com. Qip.ru is a free email platform, similar to Hotmail.
Dozens of other observed domains registered to Fessleak have engaged in the delivery of this advanced ransomware. A Google search for the email address returns dozens of malicious domains, most of which are only ever used for a few hours before the name resolution is pulled.
In summary, Invincea protected endpoints are immune to the Fessleak and other malvertising attacks, not just because they can detect our container running, but because any process that attempts to break from a browser to the local system is automatically blocked. File-less attacks, buffer overflow exploits, zero-day Flash exploits, weaponized documents and more are all defeated by Invincea FreeSpace.
Use of Adobe Zero Day Exploits
In what appears to be a response to a recent Microsoft Patch, the Fessleak threat actor has stopped using file-less Flash to deliver his ransomware. Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection. See the screenshot below of Mapquest.com dropping malvertising infections.
While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware. Kafeine from malware.dontneedcoffee.com notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311. His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here.
TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, retilio.com was seen to use the same zero-day in this blog post here.
Below shows that Invincea has been tracking this threat actor for months.
|Oct 17, 2014||220.127.116.11||webmail.nc.rr.com|
|Oct 22, 2014||18.104.22.168||Lucianne.com|
|Oct 29, 2014||22.214.171.124||Vyped.com|
|Nov 2-11, 2014||chebroom.com*||Mail.twc.com
|Nov 12-14, 2014||Kenthopm.org||Hrtwarming.com
|Nov 19, 2014||vectallies.org||Mail.twc.com|
|Nov 21-24, 2014||hevpazana.org||Answers.com
|Dec 10-11, 2014||labutinra.org||Dictionary.reference.com
|Dec 12, 2014||Sailinganarchy.com
|Dec 21, 2014||pinkavuz.org||Worthly.com|
|Dec 25-26, 2014||beatrinko.org||Thehulltruth.com
|Dec 27, 2014||vemisaio.org||Sailinganarchy.com
|Dec 28, 2014||zhonte.org||News.com.au
|Dec 29, 2014||binachio.org||Answers.com
|Dec 31, 2014-Jan 1, 2015||zarafint.org||Answers.com
|Jan 3, 2015||landors.org||Photobucket.com|
|Jan 4, 2015||tesuin.org||Pof.com
|Jan 5, 2015||rliner.org||Search.aol.com
|Jan 8, 2015||litpou.org||Cinemablend.com
|Jan 9, 2015||fersob.org||Webmail.windstream.net|
|Jan 11, 2015||estuty.com||Huffingtonpost.com|
|Jan 12, 2015||ontiq.com||Thehouseofsmiths.com
|Jan 13, 2015||deinq.com||Mapquest.com|
|Jan 14, 2015||ermuz.com||Dictionary.reference.com|
|Jan 20-21, 2015||azurf.org||Webmail.nc.rr.com
|Jan 27, 2015||relom.org||Noodlenuke.com|
|Jan 28, 2015||retilio.com**||Worthly.com
|Jan 29, 2015||uvreno.com||Sailinganarchy.com|
|Feb 2, 2015||126.96.36.199||Theblaze.com
|Feb 3, 2015||188.8.131.52||answers.com|
|Feb 3, 2015||tunim.net||Thebrofessional.net|
* First use of registered domain to firstname.lastname@example.org
** Domain first observed by Trendmicro
It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it.
Whether Fessleak has been using zero-day exploits all along is indeterminate- Invincea doesn’t differentiate between zero-day exploits or known vulnerabilities when it stops attacks. But if zero-day exploits were indeed used, it simply means that Invincea protected hosts have thwarted Fessleak’s campaign. Other security wonks and anti-virus vendors are urging users to turn off Flash until it can be patched. But Invincea FreeSpace users don’t have to scramble to disable plugins, switch browsers and find patches. We protect them, even in the face of stacks of zero days.