TeslaCrypt 2.1 Analysis: Cracking "Ping" Message

At the beginning of September 2015, we discovered a new version of TeslaCrypt - 2.1 in the customer's network. The sample (MD5: b10d45335b8de97e6bc1d5cc9449c323) was loosely detected by the majority of AV signature engines on the Virustotal. The detection rate was 4/57 and can be explained by using code obfuscation, which proved its efficiency. The previous TeslaCrypt 2.0 was already well described by Kaspersky Lab, so we will use the same naming convention for encryption keys as on the Securelist for this post.

Now, TeslaCrypt 2.1 sends extra information in the C&C request in an encrypted way. The list of domains used as “gates” will be presented below with corresponding Yara rule, as well as a mechanism used to encrypt data sent to the remote server, which has not been yet explained anywhere.

List of Services

We are a security research team of skilled malware analysts with 10+ years' experience in the antivirus industry located in Ukraine.

We deliver:

• Threat intelligence data (Yara rules, Network IoCs, IDS/IPS rules, C&C links, others)
• Malware analysis reports
• Machine learning algorithms to detect 0-day threats

We provide the security services and solutions:

• Malware analysis 24/7 including APT and ransomware
• Security testing of security products

We teach:

• Advanced Malware Analysis course (the university course 7.5 ETCS within the EU master program in cybersecurity)
• Reverse engineering (x86, ARM)
• Threat hunting
• Threat modeling
• Cloud security
• Incident response
• Machine learning in cybersecurity

We collaborate with:

• ENGENSEC.EU
• Ukrainian Cyber Police

We spoke at:

• Virus Bulletin 2015 in Prague, Android ransomware: turning CryptoLocker into CryptoUnlocker
• OpenStack Summit 2015 in Vancouver, Detecting targeted attacks in the cloud
• OpenStack Summit 2016 in Austin, TX, Using Open Source Security Architecture to Defend against Targeted Attacks (video)
• OpenStack Summit 2016 in Barcelona, Digital Forensics vs. OpenStack (video)
• Virus Bulletin 2017 in Madrid, Battlefield Ukraine: finding patterns behind summer cyber attacks (video)

We were acknowledged by:

• Microsoft for the analysis of:
• MS10-061 Print Spooler Service (Stuxnet 0-day) Vulnerability  (CVE-2010-2729)
• MS10-073 Win32k Keyboard Layout Vulnerability (CVE-2010-2743)
• MS10-092 Task Scheduler Vulnerability (CVE-2010-3338)

Publications:

1. A security model of individual cyberspace / А. Adamov, V. Hahanov // Proc. of IEEE EWDTS, September 19–20, 2011. – Sevastopol, 2011. – P. 169–172.
2. Analysis and Detection of Polymorphic Spyware / Adamov A, Saprykin A // Hakin9 Magazine, Vol.8 № 01, Issue 01/2013 (61), ISSN: 1733-7186 –  P. 6-11.
3. Discovering New Indicators for Botnet Traffic Detection / A. Adamov, V. Hahanov, A. Carlsson // Proc. of IEEE EWDTS, September 26–29, 2014, Kiev, Ukraine. – Kiev, 2014. – P. 281–285.
4. Method of attribute-based URL recognition using frequency patterns / A.S. Adamov, V.I. Hahanov // Bulletin of the State Engineering University of Armenia, Yerevan, 2014, Issue 17, No. 2, C. 59-66 (UDC 681.326: 519.713).
5. Structures for information retrieval in big data / Hahanov V, Chumachenko S, Litvinova E, Adamov A et al // Proc. of 13th International Conference Experience of Designing and Application of CADSM (CADSM'2015), Lviv, Ukraine, 2015 – P. 70-75.
6. A Sandboxing Method to Protect Cloud Cyberspace / Adamov A, Carlsson A // Proceedings of IEEE EWDTS, September 27-30, 2015, Batumi, Georgia – P. 180–183.
7. Android Ransomware: Turning CryptoLocker into CryptoUnlocker / Adamov A // Proc. of the 25th Virus Bulletin International Conference, Prague, Czech Republic, 30 Sep-2 Oct 2015 – P. 220-223.
8. Detecting targeted attacks in the cloud / Adamov A // OpenStack Summit, Vancouver, Canada, 18-22 May 2015.
9. Using Open Source Security Architecture to Defend against Targeted Attacks / Alexander Adamov, Dan Lambright // OpenStack Summit, Austin, TX, US, April 25-29, 2016.
10. Cloud incident response model / Alexander Adamov, Anders Carlsson // IEEE EWDTS, October 14–17, 2016, Yerevan, Armenia. – P. 250–253
11. The State of Ransomware. Trends and Mitigation Techniques / Alexander Adamov, Anders Carlsson // Proc. of IEEE East-West Design & Test Symposium (EWDTS’2017), Sep 29 – Oct 2, 2017, Belgrad, Serbia. – P. 121–128.
12. Adamov A, Carlsson A, Battlefield Ukraine: finding patterns behind summer cyber attacks, // Proc. of the 27th Virus Bulletin International Conference, Madrid, Spain, 4-6 Oct 2017 – Appendix Last-minute presentations P. 4-5.

etc.

Find more in Google Scholar, Scopus, and IEEE Explore.



Contact us: ada@nioguard.com