Viry a Červi

WastedLocker: technical analysis

Kaspersky Securelist - 31 Červenec, 2020 - 13:00

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line arguments

It is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p <directory-path>

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f <directory-path>

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.

 -r

Launch the sequence of actions:

  1. Delete ;
  2. Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
  4. Start this service and wait until it finishes working;
  5. Delete the service.

 -s:

Start the created service. It will lead to the encryption of any files the malware can find.

UAC bypass

Another interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.

  1. Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  2. Copy a random EXE or DLL file from the system directory to this new directory;
  3. Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
  4. Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
  5. Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
  6. Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
  7. Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
  8. Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.

The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.

Procmon log fragment during the launch of WastedLocker

Cryptographic scheme

To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.

The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.

Part of the trojan config showing the ignored path substrings

For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new additional extension: “.garminwasted“.

The trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates an MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to ensure the correctness of the procedure.

WastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.

The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public RSA key.

The public RSA key format used by WastedLocker

It should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given malware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a decryptor from one victim would have to contain the only private RSA key that would allow all the victims to decrypt their files.

However, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this decryption approach worthless in real-world scenarios.

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, and what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

An example list of encrypted files from our test machine

Ransom note left by the trojan

Recommendations

This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.

The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.

That is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:

  1. Use up-to-date OS and application versions;
  2. Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote access;
  3. Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support behavior detection, automatic file rollback and a number of other technologies to protect from ransomware.
  4. Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies.
  5. Use a reliable data backup scheme.

Kaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and PDM:Trojan.Win32.Generic. The relevant behavioral detection logic was added in 2017.

IoC

2cc4534b0dd0e1c8d5b89644274a10c1

VB2020 localhost call for last-minute papers now open!

Virus Bulletin News - 31 Červenec, 2020 - 12:32
The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Read more
Kategorie: Viry a Červi

VB2020 localhost call for last-minute papers opened!

Virus Bulletin News - 31 Červenec, 2020 - 12:32
The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Read more
Kategorie: Viry a Červi

Black Hat USA 2020 Preview: Election Security, COVID Disinformation and More

VirusList.com - 31 Červenec, 2020 - 12:30
Threatpost editors break down the top themes, speakers and sessions to look out for this year at Black Hat 2020 - from election security to remote work and the pandemic.
Kategorie: Viry a Červi

Burn baby burn, plastic inferno! Infosec researchers turn 3D printers into self-immolating suicide machines

The Register - Anti-Virus - 31 Červenec, 2020 - 12:15
Inflammatory findings from deadly serious investigation

Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire.…

Kategorie: Viry a Červi

In the market for a second-hand phone? Check it's still supported by the vendor – almost a third sold are not

The Register - Anti-Virus - 31 Červenec, 2020 - 10:30
That means no security updates, which puts users at risk of compromise

An investigation by consumer watchdog Which? has found that nearly a third of all phones sold on second-hand sites are no longer supported by the vendor, leaving punters at risk of being hacked.…

Kategorie: Viry a Červi

EU tries to get serious on cybercrime with first sanctions against Wannacry, NotPetya, CloudHopper crews

The Register - Anti-Virus - 31 Červenec, 2020 - 09:55
Russian, Chinese, Nork groups named in bank asset freeze

The European Union has, for the first time ever, slapped sanctions on hacking crews.…

Kategorie: Viry a Červi

Fun fact: If you noticed a while ago Zoom's web client going AWOL for a week, it's because someone found a passcode-cracking hole

The Register - Anti-Virus - 31 Červenec, 2020 - 08:25
Story behind a hasty teardown, fixing of a brute-force vulnerability

Zoom has confirmed it fixed a vulnerability that could have been exploited by miscreants to crack the passcodes needed to access strangers' private chin-wagging.…

Kategorie: Viry a Červi

Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

The Register - Anti-Virus - 31 Červenec, 2020 - 07:27
Attack came in waves that probed for staff with access to the creds crims craved

Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam.…

Kategorie: Viry a Červi

Infosec bod: I've found zero-day flaws in Tor's bridge relay defenses. Tor Project: Only the zero part is right

The Register - Anti-Virus - 31 Červenec, 2020 - 00:08
Warnings either not new or need more study, reckons open-source dev team

Neal Krawetz, a computer forensics expert, has published details on how to detect Tor bridge network traffic that he characterizes as "zero-day exploits"... which the Tor Project insists are nothing of the sort.…

Kategorie: Viry a Červi

Zoom Flaw Could Have Allowed Hackers To Crack Meeting Passcodes

VirusList.com - 30 Červenec, 2020 - 23:40
Zoom has fixed the issue, which stemmed from a lack of checks against incorrect passcode attempts.
Kategorie: Viry a Červi

Doki Backdoor Infiltrates Docker Servers in the Cloud

VirusList.com - 30 Červenec, 2020 - 19:00
The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.
Kategorie: Viry a Červi

Servers at risk from “BootHole” bug – what you need to know

Sophos Naked Security - 30 Červenec, 2020 - 17:35
We explain the "BootHole" vulnerability - as usual, in plain English and without hype. Find if you're affected and what to do.

Critical, High-Severity Cisco Flaws Fixed in Data Center Network Manager

VirusList.com - 30 Červenec, 2020 - 16:36
The flaw could allow a remote, unauthenticated attacker to bypass authentication on vulnerable devices.
Kategorie: Viry a Červi

Vermont Taxpayers Warned of Data Leak Over the Past Three Years

VirusList.com - 30 Červenec, 2020 - 15:32
A vulnerability in the state’s system may have exposed personal data that can be used for credential theft for those who filed Property Transfer Tax returns online.
Kategorie: Viry a Červi

If you own one of these 45 Netgear devices, replace it: Kit maker won't patch vulnerable gear despite live proof-of-concept code

The Register - Anti-Virus - 30 Červenec, 2020 - 13:28
That's one way of speeding up the tech refresh cycle

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.…

Kategorie: Viry a Červi

DXC says ransomware attack disrupted customer operations at insurance services arm but barely left a scratch

The Register - Anti-Virus - 30 Červenec, 2020 - 09:29
No data loss or evidence of extended intrusions, but standalone limb Xchanging did suffer

DXC has recovered from a ransomware attack that hit its independent services-for-insurers operation Xchanging.…

Kategorie: Viry a Červi

Critical Magento Flaws Allow Code Execution

VirusList.com - 29 Červenec, 2020 - 23:22
Adobe has released patches for critical and important-severity flaws in its popular Magento e-commerce platform.
Kategorie: Viry a Červi

YOU... SHA-1 NOT PASS! Microsoft magics away demonic hash algorithm from Windows updates, apps

The Register - Anti-Virus - 29 Červenec, 2020 - 22:37
Because no one likes to install spoof system files

Microsoft is preparing to once and for all drop support for the SHA-1 hash algorithm.…

Kategorie: Viry a Červi

Billions of Devices Impacted by Secure Boot Bypass

VirusList.com - 29 Červenec, 2020 - 21:53
The "BootHole" bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks.
Kategorie: Viry a Červi
Syndikovat obsah