Viry a Červi

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line arguments

It is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p <directory-path>

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f <directory-path>

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.

 -r

Launch the sequence of actions:

1. Delete ;
2. Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
4. Start this service and wait until it finishes working;
5. Delete the service.

 -s:

Start the created service. It will lead to the encryption of any files the malware can find.

UAC bypass

Another interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.

1. Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
2. Copy a random EXE or DLL file from the system directory to this new directory;
3. Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
4. Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
5. Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
6. Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
7. Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
8. Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.

The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.

Procmon log fragment during the launch of WastedLocker

Cryptographic scheme

To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.

The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.

Part of the trojan config showing the ignored path substrings

For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new additional extension: “.garminwasted“.

The trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates an MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to ensure the correctness of the procedure.

WastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.

The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public RSA key.

The public RSA key format used by WastedLocker

It should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given malware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a decryptor from one victim would have to contain the only private RSA key that would allow all the victims to decrypt their files.

However, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this decryption approach worthless in real-world scenarios.

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, and what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

An example list of encrypted files from our test machine

Ransom note left by the trojan

Recommendations

This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.

The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.

That is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:

1. Use up-to-date OS and application versions;
2. Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote access;
3. Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support behavior detection, automatic file rollback and a number of other technologies to protect from ransomware.
4. Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies.
5. Use a reliable data backup scheme.

Kaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and PDM:Trojan.Win32.Generic. The relevant behavioral detection logic was added in 2017.

IoC

2cc4534b0dd0e1c8d5b89644274a10c1

The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Read more

The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Read more

Threatpost editors break down the top themes, speakers and sessions to look out for this year at Black Hat 2020 - from election security to remote work and the pandemic.

Inflammatory findings from deadly serious investigation

Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire.…

That means no security updates, which puts users at risk of compromise

An investigation by consumer watchdog Which? has found that nearly a third of all phones sold on second-hand sites are no longer supported by the vendor, leaving punters at risk of being hacked.…

Russian, Chinese, Nork groups named in bank asset freeze

The European Union has, for the first time ever, slapped sanctions on hacking crews.…

Story behind a hasty teardown, fixing of a brute-force vulnerability

Zoom has confirmed it fixed a vulnerability that could have been exploited by miscreants to crack the passcodes needed to access strangers' private chin-wagging.…

Attack came in waves that probed for staff with access to the creds crims craved

Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam.…

Warnings either not new or need more study, reckons open-source dev team

Neal Krawetz, a computer forensics expert, has published details on how to detect Tor bridge network traffic that he characterizes as "zero-day exploits"... which the Tor Project insists are nothing of the sort.…

Zoom has fixed the issue, which stemmed from a lack of checks against incorrect passcode attempts.

The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.

We explain the "BootHole" vulnerability - as usual, in plain English and without hype. Find if you're affected and what to do.

The flaw could allow a remote, unauthenticated attacker to bypass authentication on vulnerable devices.

A vulnerability in the state’s system may have exposed personal data that can be used for credential theft for those who filed Property Transfer Tax returns online.

That's one way of speeding up the tech refresh cycle

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.…

No data loss or evidence of extended intrusions, but standalone limb Xchanging did suffer

DXC has recovered from a ransomware attack that hit its independent services-for-insurers operation Xchanging.…

Adobe has released patches for critical and important-severity flaws in its popular Magento e-commerce platform.

Because no one likes to install spoof system files

Microsoft is preparing to once and for all drop support for the SHA-1 hash algorithm.…

The "BootHole" bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks.