By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek),
In the McAfee Labs Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust”. Indeed almost every single threat measured saw notable increases in Q3 which pointed to a rather ominous 2015. There was however one notable exception; ransomware.
The above figure provided a respite against the threat of ransomware, but as predicted in the McAfee Labs threat predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”
For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) being distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files present in the target system.
It copies itself to the following folder:
- %temp%< 7 random characters>.exe
It also creates job task containing random 7 random characters:
The following registry keys have been added to the system:
- %ALLUSERSPROFILE%Application DataMicrosoft<7 random characters>
It will inject code into svchost.exe and svchost.exe will launch file from the following:
- %temp%<7 random characters>.exe
The code injected into svchost.exe will encrypt files with following extension:
Once infected, the malware will display the following image on the system:
The newly created process create a mutex named:
An interesting angle in this new round of Backdoor-FCKQ malware is the usage of a well-known ‘Downloader’, known as Dalexis). There are several versions of this downloader around, a simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent anti-spam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.
The function of the downloader is to download additional malware from certain locations, unpack the Xor coded malware and execute it. In this case the additional malware, the actual CTB’ was packed in a file called ‘pack.tar.gz’:
Figure 1 ‘pack.tar.gz’
As can be retrieved from the above screenshot, there’s no file-header present that represents a known file-type. For example if this was an executable file, the first two characters (aka the Magic Number’ would have been ‘MZ’. This is one of the ways in which malware authors try to circumvent gateway-detection of malware. Some other tricks we have seen a lot recently is to put the payload of the malware up on Pastebin or Github.
In this case, the ‘pack.tar.gz’ file was using different XOR keys for encrypting parts of the file, once this puzzle was cracked, the ‘unpacked’ code of ‘Backdoor-FCKQ’ is revealed:
Figure 2 Unpacked code of Backdoor-FCKQ
With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, immediately code parts were recognized.
As a quick Yara detection-rule, the following could be used:
While tracing the bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
A special thanks to Sanchit Karve for his assistance in the analysis.