2016-05-26 - ANGLER EK SENDS UPDATED VERSION OF CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-05-26-Angler-EK-sends-CryptXXX-both-pcaps.zip   2.0 MB (2,027,242 bytes)

• 2016-05-26-Afraidgate-Angler-EK-sends-CryptXXX.pcap   (1,101,070 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-sends-CryptXXX.pcap   (1,115,419 bytes)

• ZIP archive of the malware and artifacts:  2016-05-26-Angler-EK-sends-CryptXXX-malware-and-artifacts.zip   464.6 kB (464,622 bytes)

• 2016-05-26-Afraidgate-Angler-EK-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-05-26-Afraidgate-Angler-EK-CryptXXX-decrypt-instructions.html   (5,715 bytes)
• 2016-05-26-Afraidgate-Angler-EK-CryptXXX-decrypt-instructions.txt   (987 bytes)
• 2016-05-26-Afraidgate-Angler-EK-landing-page.txt   (102,905 bytes)
• 2016-05-26-Afraidgate-Angler-EK-payload-CryptXXX.dll   (176,128 bytes)
• 2016-05-26-Angler-EK-flash-exploit-vs-flash-21.0.0.213.swf   (67,386 bytes)
• 2016-05-26-page-from-brookslake.com-with-injected-pseudoDarkleech-script.txt   (52,364 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.html   (5,715 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.txt   (990 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-landing-page.txt   (102,831 bytes)
• 2016-05-26-pseudoDarkleech-Angler-EK-payload-CryptXXX.dll   (176,128 bytes)

NOTES:

• Proofpoint's blog posts so far about CryptXXX ransomware can be found here and here.
• Background on the pseudoDarkleech campaign is available here.
• Background on the Afraidgate campaign is here.

• Looks like CryptXXX has been updated.  There are new artifacts and decrypt instructions.
• This time, rundll32.exe is copied to the AppData\Local\Temp without being renamed as svchost.exe like it was before.
• I saw snort-based rules from Talos and EmergingThreats still triggering on callback traffic from this new version of CryptXXX.
• I'm sure someone will provide a more in-depth analysis of the malware.  Meanwhile, you can view the screenshots in the images section of this blog entry.

Shown above:  Example of a user's AppData\Local\Temp folder when Angler EK sends CryptXXX.

 

TRAFFIC

Shown above:  Traffic from the Afraidgate Angler EK filtered in Wireshark using the filter: http.request or (tcp.port eq 443 and tcp.flags eq 0x0002).

Shown above:  Traffic from the pseudoDarkleech Angler EK filtered in Wireshark using the filter: http.request or (tcp.port eq 443 and tcp.flags eq 0x0002).

ASSOCIATED DOMAINS:

• 178.62.235.45 port 80 - word.bhandaridinesh.com.np - GET /view.js - Afraidgate campaign redirect
• 50.21.187.40 port 80 - luszniewicz.virtual-linux.net - Angler EK (Afraidgate campaign)
• 50.21.187.40 port 80 - leptoprosopyjabrewer.virtual-linux.net - Angler EK (pseudoDarkleech campaign)
• 85.25.194.116 port 443 - CryptXXX callback traffic (custom encoded, not SSL)

 

IMAGES

Shown above:  Lock screen when the CryptXXX infect kicks in.

 

Shown above:  HTML file to get to the decrypt instructions.

 

Shown above:  Windows desktop when it was rebooted.

 

Shown above:  Going to the site to pay the ransom, you'll have to enter your code.

 

Shown above:  Decrypt instructions (part 1 of 3).

 

Shown above:  Decrypt instructions (part 2 of 3).

 

Shown above:  Decrypt instructions (part 3 of 3).

 

Shown above:  Talos subscriber set singatures still cover callback traffic from the new CryptXXX.

 

Shown above:  ET PRO signatures also still cover callback traffic.

NOTE: I remove the indentification code from the post-infection traffic in my pcaps.  Because of that, I haven't been able to get any of the pcaps to trigger the above ETPRO alerts when using tcpreplay on Security Onion (with Suricata and the ETPRO ruleset).  The above image shows CryptXXX alerts from post-infection traffic before I sanitized the pcap.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-05-26-Angler-EK-sends-CryptXXX-both-pcaps.zip   2.0 MB (2,027,242 bytes)
• ZIP archive of the malware and artifacts:  2016-05-26-Angler-EK-sends-CryptXXX-malware-and-artifacts.zip   464.6 kB (464,622 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.