Wednesday, February 28, 2018

Is it possible for internet service provider to serve popup ads in the user machine?

The answer is yes it is possible. Many shady ISPs are already serving popup ads to their customers. Initially, the user may receive a non-malicious popup ad, and ask the user to submit the email id to receive bills via email. After that, the users will receive more such ads and end up in the suspicious popup ads.

How to find your ISP perform shady popup ads?

Users can find the popup ads in the web browser when they connect their handheld devices, smartphones, and laptops to a particular network but when they connect to other networks they would not observe any popup ads. So we determine that ISP is the culprit.

How to block these ads?

The best option is to install adblocker products at the browser level. Several adblocking plugins available for the popular browsers.
In ISP level, we recommend filtering options in the router's access management which will stop such popup ads by ISP provider.

Post by
newWorld

Wednesday, February 21, 2018

Analysis of Foreign Ransomware

Analysis

Hash of the File: 232ca9cefd0b1b0d2cc11c11090124720cbf90778210e30c3e9f8841512dfd22
File type: EXE file


Static analysis


This ransomware code starts checking for running OS platform details and the conditions failed then it triggers Dr. Watson error. It then retrieves a handle to the current window station for the calling process using “GetProcessWindowStation”. The code again to query the details of WinMajor details and if the condition fails then it triggers Dr Watson error.
  call    __get_winmajor
.text:3A2F8D8D                 add     esp, 4
.text:3A2F8D90                 push    eax
.text:3A2F8D91                 call    __invoke_watson_if_error
.text:3A2F8D96                 add     esp, 18h


Further it retrieves the GetActiveWindow and uses the “GetLastActivePopup ()” to Determines which pop-up window owned by the specified window was most recently active.



Retrieving volume details:
     call    ds:SetErrorMode
.text:3A2E34FF                 push    0C8h            ; cchBufferLength
.text:3A2E3504                 lea     eax, [ebp+68h+RootPathName]
.text:3A2E3507                 push    eax             ; lpszVolumeName
.text:3A2E3508                 call    ds:FindFirstVolumeW
.text:3A2E350E                 push    offset aVolumes ; "\nVolumes:\n"
.text:3A2E3513                 call    _wprintf
.text:3A2E3518                 lea     eax, [ebp+68h+RootPathName]
.text:3A2E351B                 pop     ecx
.text:3A2E351C                 mov     dword_3A31E898, esi
.text:3A2E3522                 lea     ecx, [eax+2]

Ransomware needs find the volume details and then proceed for encrypting the file. Malware code retrieving FindFirstVolume+FindNextVolume gives all the volumes present including Windows reserved and system recovery partition. The return value is a unique GUID for the volume which can also be found in registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume).




Observed behavior

File created: "%APPDATA%\info.exe

Looking for the following processes to terminate:
"taskkill /f /im oracle.exe"
"taskkill /f /im sqlite.exe"
"taskkill /f /im sql.exe"

Deleting Volume shadow copy to not allowing the backup restoring functionalities in the windows system:

"vssadmin.exe" with commandline "Delete Shadows /All /Quiet"



Auto-start registry entry:

Key: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"

 Value: "ENCRYPTER"

Physical location of the file matches: "%APPDATA%\info.exe"


Key: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"

Value: "USERINFO"

"%APPDATA%\recovery.txt"

  
These registry entries are to maintain the persistence of the malware in the infected system.



Ransom Notes:

"Hello!All your files have been encrypted by usIf you want restore files write on e-mail – fileskey(at)qq(.)com or fileskey(at)cock(.)li"


hxxp://qq(.)com

Sunday, February 18, 2018

Analysis of New variant of Ransomware in Development stage

OVERVIEW

This week we spotted a new variant ransomware in the development stage. Currently, it appeared to be testing phase and very less AV vendors flag this sample. We dubbed this ransomware as ‘Target ransomware’. In this post, our team analyzed this ransomware variant.

Sample Details
File Hash (SHA-256):
5aac7c3cbfdef10e36e779a3b331fee0666898587c6a82ed7b0804c6d9fb16cd
File Size: 181248 bytes
PE type: EXE
Packer: UPX packer

Sample

We searched this sample in VirusTotal and it found to be first uploaded from Japan. And no major AV flagged this sample at the time of writing.

Figure 1 Detection rate in VT

Figure 2 First Submission of this sample - from Japan

First Submission detail says that sample was uploaded from Japan it is not sure that whether the sample developed in Japan or targeted in testing phase against Japan. We checked the strings and most of them are junk and not readable. So we need to unpack the ransomware sample first.



Current status

Appends ".ransomwared" extension. Encrypts only "Documents/target.txt" for now. So currently it didn't encrypt any other files in the system.



Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...