This blogpost io to publish and trace the information about the Sifreli ransomware. The word "sifreli" means encrypted in Turkish and that is also the extension malware was using for the encryted files. This ransomware, when executed, encrypts all data files with AES encryption. Password used for ecryption is random and user is presented only with the version encrypted with RSA public key. Attackers claim that if ransom is paid within 3 days, they will decrypt the unique session key and grant it back to victim in order for him to be able to decrypt back his precious data (text, photos, zip, word ...). Whether this can be trusted I do not know. Yes technically it is possible, but in reality I would not recommend to pay any ransom as you have got no guarantee that you wont get reinfected just the other day.
Materials on the topic:- 2014-02-20 - Crypto key methods malware uses to blackmail
- 2014-02-19 - Turkish forum discussing the same ransomware spreading pretending to be a bill from TurkCell
- 2014-02-18 - Trend Micro analysis of the Turkish mutation
- 2012-12-27 - Same ransomware spreading in Turkey in 2012
Phishing email
On the begining of the chain there is a phishing email with link to download site. The phishing email for the Royal-Mail campaign looked like this:
From: customercare@parcel-tracking.net [mailto:customercare@parcel-tracking.net]
Sent: 24 February 2014 12:12
To: John Doe
Subject: Parcel to John Doe
John Doe
A courier did not deliver the parcel to your address 21 February 2014, because nobody was at home.
Please download information about parcel, print it and go to post office to receive a package.
Attention
If the parcel isn't received within 30 working days Royal Mail will have the right to claim compensation from you for it's keeping in the amount of 5.70 £ for each day of keeping. You can find the information about the procedure and conditions of parcel keeping in the nearest office.
This is automatically generated email, please click here to unsubscribe.
Royal Mail Group Ltd 2013. All rights reserved
Malware Download
Download site mimics the site of the attacked well known brand name. For Turkey it was Turkcell - local mobile telephone operator. For the campaign targeting the UK the download site was attacking brand name of Roayl Mail. Attacker gains the trust of the victims by :- site looks quite genuine, cloning the look and feel from the site being phished
- it is including the fake captcha for download of the malware file, to download you need to enter the right code from sceen
- it claims it will download pdf, gaining the trust by fact that downloaded zip contains a file with PDF icon - pity that it is malicious EXE indeed
- download site looks quite clean on the first look, but after entering the "captcha" the reloaded page contains 2 iframes. One is the zipfile with the malware, the second is probably redirect to some drive-by download.
- Part of the file name of the zip file is changing with string of random generated numbers t look real
List of known download sites:
- http://www.parcel-tracking.net/track-trace/track.php?id=9780165 (IP 194.58.38.112)
- http://csi.efatura-turkcell.net/amserver/UI/Login.php (IP 194.58.43.23)
- http://csi.efatura-turkcell.org/amserver/UI/Login.php (IP 194.58.43.23)
- Probably next in row csi.efatura-turkcell.com (IP 194.58.43.23)
Download link with the zip file looks like this (numbers are random):
- http://www.parcel-tracking.net/track-trace/track_97d899969188667e28e4b4578bdbfe3a.zip
- http://csi.efatura-turkcell.org/amserver/UI/fatura_938e5e06af8a595faf700a0f1e1e5765.zip
- http://csi.efatura-turkcell.net/amserver/UI/fatura_6a28ff001a41304c559956f39f53a3ec.zip
Iframe redirecting to affiliate sites looks like this:
- http://www.parcel-tracking.net/track-trace/div.php
=> http://eebeixee.aerameis.com:8000/rkfnpmymyqfet?tqrppmv=6614810 (IP 212.83.170.14) - http://csi.efatura-turkcell.net/amserver/UI/6r3k412v585b.php
=> http://jaivohpo.aerameis.com:8000/stppe?tcpbm=4984420 (IP 212.83.170.14) - http://csi.efatura-turkcell.org/amserver/UI/rxgfna7qfunxeo.php
=> http://eichohng.aerameis.com:8000/rvegnykbh?tkdfntudnsub=4984420 (IP 212.83.170.14) - It is probably recommended to disable all *.aerameis.com
Execution of the ransomware
When the ransomware is executed, it immediately starts encrypting all files it finds on local hard-drive and-or on available network shares. Encryption is performed with a random generated key. Same key is used for all the files. For each encrypted file there is created file with the original file name and the extension of ".encrypted" ( or it was ".sifreli" in the Turkish language mutation).When encryption does enough damage and/or after reboot of machine the ransom message is being displayed as a annoying pop-up window, which is not possible to kill. Sample of the message displayed also as a Walpaper image on the desktop.
The same message is also written to any folder with encrypted files as a new file PLEASE_READ.inf (in Turkish version it is LUTFEN_OKUYUN.inf).
Hello,
I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it. I have copied all valuable data from this PC and from your computer network. Then I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact:
e-mail: it-specialist@mail.ua
You have 3 days to purchase the decryption key, otherwise some of your sensitive data may be published on the internet and your system will not get decrypted.
Information for IT specialists:
1. Anti-virus will delete encryption program but will not decrypt the data. Using system restore point will not help you to recover the data.
2. Data was encrypted with AES (Rijndael) algorithm (256 bit). Encryption key was encrypted with RSA (2048 bit) algorithm. This is extremely secure cryptography technique, around 1000 year time period will be required to break it, so do not try to do it.
---- Encrypted Session Key Begin ----
3407AF961E9B807B9C998CB610167677842CAF9E9FDACF3BED3B3EAC2044B80E8171D35F78072E525BD049E5BC717C1ABA7C00B5E0A087436AA68C159AAEDD69067D841B66EB4F297CD06F74A884CDA7DE8B6768FF3C8AAABAE42FF78690596D487C1B8FBBFB865999C8CEE81736D28C60E8782DBA94F4CDC95D3FDD6FC7F9F93E3AB5FC431F72104B64EB059BCAD77357D80462AB5C73C300529C0DCCCD3163FD2F0B7B4575BA9FEAC600952BECDCE2D87FC76A676F1FF6824D17C2B6B797D8360E8FF00604B4A85C6CD785AD409B13EDDC899DF0B8F3B64F59080DFA623CF3DB598CCF50FE64D4D87B91708CA1F9E627EA03426AE13173EE8372EA7F8F21C3
---- Encrypted Session Key End ----
Crypto
Files seems to be encrypted with a algorithm with 128-bit block size. This can be judged based on the padding (not-)used. Entropy of the encrypted files is very high - very close to 8 bits per byte. This could very well be AES (128 bit block size) with 256 bit key as claimed by the attackers. Unique key seems to be generated for each run of the malware, until files are encrypted.
First Seen Sample MD5 File Name Mutex pehash imphash 
Y 2014-02-24 23:26 information.exe Y 2014-02-24 14:55 Tracking_information.exe N 2014-02-24 12:47 tracking_information.exe 
Y 2014-02-20 06:36 20140220_1032_DEWA_bill.exe 
N 2014-02-17 22:38 fatura_878f1e09a51d2906c8d53fb468937636.zip Y 2014-02-17 14:27 20140217_2338_fatura.exe N 2014-02-17 09:56 fatura.exe N 2014-02-11 12:47 fatura.exe
Another wave:
ReplyDeletehttp://forum.avast.com/index.php?topic=147401.0
There is also sample on VT and Malwr.com
Another sample found on Total hash http://totalhash.com/analysis/e85ee2879a21b3f7057d1be95b372a035c99c6c7
ReplyDeleteHi, PLEASE_READ.inf suggests that user data (files) may be copied (stolen). Have you witness this happening? Or is there any evidence to suggest that this may happen?
ReplyDeleteHello,
ReplyDeleteI can't confirm or deny that.
The behaviour of stealing the data didn't demonstrate in my testlab setting, but in my setup the networking is quite limited and there is a good chance that with direct connection to internet the malware could behave differently.
Mik