Friday 22 December 2017

VB2017 videos on attacks against Ukraine

Thanks to Virus Bulletin for giving a chance to talk about the most destructive attacks this year.
"(In)security is a global problem that affects every country in the world, but in recent years, none has been as badly hit as Ukraine.The most well known malware that affected the country is (Not)Petya, a ransomware/wiper threat that had global impact (it cost shipping firm Maersk alone $300m in lost revenues), but which hit Ukrainian businesses particularly hard. The malware spread through a compromised update pushed out by M.E.Doc's tax accounting software, which is popular in the country.
In a VB2017 presentation, NioGuard's Alexander Adamov, himself based in Ukraine, discussed how (Not)Petya and related attacks worked and what impact they had. We have now uploaded the video of his presentation to our YouTube channel."

Read more:

Friday 27 October 2017

Bad Rabbit Ransomware or Evolution of NotPetya

BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.

Main outcomes:
  • The BadRabbit is a new version of NotPetya, supposedly written by the same author;
  • It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;
  • This is not a targeted attack, unlike NotPetya
  • The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP
  • The BadRabbit uses the legitimate DiskCryptor driver
Read the full report for more details.

Monday 2 October 2017

VB2017: Battlefield Ukraine

This summer, Ukraine unwillingly became the battlefield of the hacker group(s) with the supposedly Russian roots and the antivirus industry. This is not the first time when Ukraine attracts attention of cyber security experts. Suffice it to recall in this regard the several waves of cyber attacks against critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2,3] industrial malware supposedly created by a Russian hacker group.

Thursday 14 September 2017

Facebook video scam continues spreading undetected

Facebook and Google Docs continue to be used by scammers as a delivery channel for malware and adware.

In October 2016, Facebook users were sent the links to supposedly adult videos [1] that can be played from a fake Youtube portal only when a target downloads and install the malicious Video Plugin.

In August 2017, the same attack vector is used to spread adware [2].

And today, I saw the following message on my Facebook arrived from the hacked mobile Facebook app of one of my students in past. In addition to the message, I and other victim’s friends were marked in the comment to the post with a fake video.

Thursday 10 August 2017

Serpent Ransomware Analysis

The new Octopus cryptolocker being an offspring of the Serpent/Zyklon/WildFire/HadesLocker families shows that .NET ransomware can be not an easy meat for a reverse engineer. It leverages several types of obfuscation, code encryption, and anti-debugging to protect its C# code from decompilation and analysis.

Monday 7 August 2017

Spora Ransomware Analysis

Similar to Cerber (Ferber) ransomware, Spora has its own intricate encryption file format and does not encrypt the whole file. The encryption block size varies depending on a file size.

Friday 28 July 2017

New variant of Cerber ransomware (Ferber) analyzed

This summer Cerber is on duty. It comes via spear-phishing emails, bypasses antiviruses leveraging polymorphic encryption and API calls obfuscation. The cryptolocker can be easily customized for every target by embedding the JSON-formatted configuration data encrypted with RC4-128 (the decrypted config is on Github for cfd2d6f189b04d42618007fc9c540352). The file encryption scheme 'master RSA-2048 key'-> 'session RSA-880' -> 'file's RC4-128' used by Cerber is not breakable. Cerber scans the IP ranges specified by CIDRs in the config for the C&C server. 

Wednesday 12 July 2017

Targeted attack with PowerShell ransomware comes undetected

The undetected PowerShell ransomware was used to attack the popular German car dealer. The attack launched through the spear phishing email looked like a mail delivery notification.

Saturday 8 July 2017

New Cyber Security Course for Master Students

I'm happy to announce the new Advanced Malware Analysis course I've been working for eight years is coming out soon as a part of the EU academic project ENGENSEC financed by the European Commission. In light of the recent nation-state cyber attacks, I'm glad for being related to educating the next generation of cybersecurity experts being able to counteract cyber attacks at any level.

Wednesday 5 July 2017

Comparing MEDoc backdoors in 176, 186, and 189 updates

To complement Anton Cherepanov's analysis of Telebot backdoor, I decided to compare the backdoor functionality of different MEDoc versions to figure out which my personal data might have been already leaked from the MEDoc installation I use now.

Friday 30 June 2017

The WannaCry-like ransomware attack against Ukraine via MEDoc preceding EternalPetya/NotPetya

This week, MalwareHunterTeam discovered next in a row ransomware clone after XData that targeted Ukrainian users presumably through MEDoc software updates this Monday (June 26, 2017) before EternalPetya/NotPetya was launched (June 27, 2017). The new ransomware is a .NET version of WannaCry. The ransomware has the ‘kill process to unlock file’ feature introduced for the first time by ransomware and a bug that reduces demolishing power allowing the cryptolocker to harm only network drives. Let us take a look under the hood.

Wednesday 28 June 2017

EternalPetya / NotPetya Ransomware Analysis

The new modification of Petya, which we named EternalPetya (because of using EternalBlue and EternalRomance exploits), caused surprisingly big infection outbreak in Ukraine and Russia.

Tuesday 6 June 2017

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 
The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

Saturday 3 June 2017

XData ransomware attacked users in Ukraine

On May 18, the author(s) of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method. A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key. Currently, the XData decryption tools are available. We analysed the XData code and found two host-based 'kill-switches', one of them is about detecting an antivirus running on an infected machine.

Wednesday 17 May 2017

Ransomware Protection Test - April 2017

During the last decade, ransomware (cryptolockers) show sustainable growth that can be explained by an effective business model that incorporates an anonymous payment system (Bitcoin) and network (TOR). This allows attackers to go untraceable and unpunished in their criminal activities.

In this regard, antiviruses and backup solutions come to protect you against ransomware and eliminate infection consequences. However, based on our incidents investigation experience, most of the ransomware infections in organizations happened with an antivirus installed and turned on. This can be explained by the fact, that the new ransomware variants employ polymorphic encryption with code obfuscation [1], broken PE headers [2], and scripting languages [3, 4]. All these help attackers bypass antivirus signature-based protection giving a chance for behavior blockers and anti-ransomware solutions to come into play. Therefore, it is essential to test security solutions by simulating the real-world ransomware attacks.

First, we tried the RanSim ransomware simulation software made by KnowBe4 [5] to verify if an antivirus can block a ransomware attack. However, RanSim has several limitations. The most principal one is that antiviruses block the RanSim executables underway using simple blacklists before the actual test scenarios are run. The question then arises as to how to bypass antivirus signature protection to run ransomware test scenarios that will test the antivirus behavior blocker or anti-ransomware protection only.

To solve the problem of testing anti-ransomware solutions, we looked into the successful real-world ransomware attacks to find out the techniques that help malware to go unnoticed. As a result, we created the ransomware testing framework called NioCryptoSim [6] written mostly in Python. The test suite includes three false positive tests and 15 tests simulating the base cryptolocker functions as well as complete models imitating the behavior of some real-world ransomware.

As a result, we tested 22 top antiviruses and one backup solution with the anti-ransomware solution from Acronis using the NioCryptoSim testing framework.

See the full report by the link.

Monday 15 May 2017

WannaCry 2.0: Indicators of Compromise

WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.

Tuesday 2 May 2017

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.

Monday 3 April 2017

Thursday 30 March 2017

New Shade cryptolocker confuses analysis tools with 'MS-DOS EXE' file type

A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.

Wednesday 22 March 2017

Fake bills deliver Crypt0L0cker in Sweden

After revealing the fake emails with finance related information from banks and the Tax Office in Ukraine delivering ransomware, we revealed the similar attack running in Sweden. The archive allegedly with a bill was placed on Dropbox and contains the latest version of Crypt0L0cker (a.k.a. TorrentLocker) inside.

Friday 17 March 2017

Shade ransomware comes through billing notifications

We are seeing the numerous infections by the new version of the Shade cryptolocker during the last week in Ukraine. The Shade has been leveraging a cheap and effective email delivery channel. The attack is run with the help of fake emails sent on behalf of Ukrainian financial institutions (e.g. PrivatBank, the Ukrainian Tax Office) from the hacked email accounts, most of them belong to organizations in the TLD. The subject of these emails is bills or indebtedness that a victim needs to pay.

Wednesday 15 February 2017

Targeted Attack on the National Police of Ukraine

According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.

Thursday 2 February 2017

Decrypting DeriaLock

Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:
openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png
Or use our Python script or executable to decrypt all '.deria' files that can be found on your computer.