On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.
![chain]()
- Chain and RIG EK landing
The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.
- ItsMeFA
- “version_fa”
- fa 155
It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used. The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.
![torrc]()
- torrc file contents
After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3” and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe
This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:
- C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc
And as the usual tor execution process, the following files are created.
As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.
Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility to analyze the memory image.
Using Volatility to Find the Malware
We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.
To confirm this, we list visible windows using the “wintree” command to identify which process is responsible for the lock screen and we identified the same sd_app.exe.
Next, we identified the full path of the file using the process id and ‘cmdline‘ command
We dumped the disk and found the following list of files added.
The .bat disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.
![batfile]()
- contents of 1.bat
In-the-Wild Samples
Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine.
The variants of sd_app are also signed but 2 of the files still have no detection.
We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:
- WIN32-VS-x32-RELEASE-Feb 1 2016-15:33:48 v.0.01a-154d
The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.
Conclusion
It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs” so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters.
Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.
Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.
IOCs
Trojan Downloader hashes (FA)
5ed449fc2385896f8616e5cd7bee3f31
3a00058ccaee78805f539f2f6a259e92
d183ed4609e6ad7b00250c50a963db5d
6af38533fc8621128e943488a6f189ed
fb016a14ef1384ec78a284636631ab17
Screen Locker (SD)
29e71b864ac46bd3e2c216cce0403114
639c62bcae61054a229ed3c79a109cc4
092b9e87bd75384df188feb2c4e402a2
e8231d2b7a04a5826a78b2908a1dd393
Mutex Names
ItsMeFA
ItsMeSD