Monday, November 23, 2015

INFO: Google Drive Issues Resolved

Everybody,

I have found a workaround for the Google Drive issues reported earlier. To absolutely ensure that artifacts I upload to Google Drive are not detected and flagged, I have encrypted all artifact .ZIP files with AxCrypt.

What this means for you, dear reader, is that you will need to download AxDecrypt here and enter the password prescomm to decrypt the files. This may or may not add hindrance for *Nix users, and I apologize for that, but it is the quickest and best workaround I have for the issue at the moment.

Again, apologies if this caused any inconvenience for anybody.

Cheers!

INFO: Google Drive "Violation" Errors

Everybody,

Just wanted to let everyone know that I have become aware of an error that almost all of my artifact .ZIP files are producing. Google Drive appears to have picked up on the malware samples, even in encrypted archives. It is also doing this on non-malware uploads too, though, so not sure what the issue is at this point.

I am working on a fix for this, so be patient with me. In the meantime, if you want/need a file I have uploaded, send me an e-mail and I will get it over to you.

Apologies for the inconvenience. Will update everyone when this is fixed.

Sunday, November 22, 2015

Post #16 (Or... "ASPXSpy With My Little Eye")

Referring back to post #15, let's take a gander at those two .ASPX files that were spotted on one of our compromised servers.

As stated in the previous post, the only difference between "dusuki.aspx" and "website.aspx" was a few lines of comments, so we can just arbitrarily pick a sample file to work with.

Cursory Internet research reveals that ASPXSpy is a web server back door that offers a ton of functionality to the attacker deploying it. This can be seen by examining some interesting strings in the file, as well as the long list of imports that the file calls.

First, the imports:

<%@ import Namespace="System.IO"%>

<%@ import Namespace="System.Diagnostics"%>

<%@ import Namespace="System.Data"%>

<%@ import Namespace="System.Management"%>

<%@ import Namespace="System.Data.OleDb"%>

<%@ import Namespace="Microsoft.Win32"%>

<%@ import Namespace="System.Net.Sockets" %>

<%@ import Namespace="System.Net" %>

<%@ import Namespace="System.Runtime.InteropServices"%>

<%@ import Namespace="System.DirectoryServices"%>

<%@ import Namespace="System.ServiceProcess"%>

<%@ import Namespace="System.Text.RegularExpressions"%>

<%@ Import Namespace="System.Threading"%>

<%@ Import Namespace="System.Data.SqlClient"%>

<%@ import Namespace="Microsoft.VisualBasic"%>

Then, the strings:

000000000D37 000000000D37 0 Bin_Button_CreateFile.Attributes["onClick"]="var filename=prompt('Please input the file name:','');if(filename){Bin_PostBack('Bin_Createfile',filename);}";

000000000DD4 000000000DD4 0 Bin_Button_CreateDir.Attributes["onClick"]="var filename=prompt('Please input the directory name:','');if(filename){Bin_PostBack('Bin_Createdir',filename);}";

000000000E74 000000000E74 0 Bin_Button_KillMe.Attributes["onClick"]="if(confirm('Are you sure delete ASPXSPY?')){Bin_PostBack('hae','');};";

000000001BA9 000000001BA9 0 ZGKh.Text="<a href=\"javascript:if(confirm('Are you sure will delete it ?\\n\\nIf non-empty directory,will be delete all the files.')){Bin_PostBack('kRXgt','"+MVVJ(AXSbb.Value+Bin_folder.Name)+"')};\">Del</a> | <a href='#' onclick=\"var filename=prompt('Please input the new folder name:','"+AXSbb.Value.Replace(@"\",@"\\")+Bin_folder.Name.Replace("'","\\'")+"');if(filename){Bin_PostBack('dAJTD"+MVVJ(AXSbb.Value+Bin_folder.Name)+"',filename);} \">Rename</a>";

0000000022B5 0000000022B5 0 GLpi.Text="<a href=\"#\" onclick=\"Bin_PostBack('ksGR','"+MVVJ(AXSbb.Value+Bin_Files.Name)+"')\">Down</a> | <a href='#' onclick=\"var filename=prompt('Please input the new path(full path):','"+AXSbb.Value.Replace(@"\",@"\\")+Bin_Files.Name.Replace("'","\\'")+"');if(filename){Bin_PostBack('Bin_CFile"+MVVJ(AXSbb.Value+Bin_Files.Name)+"',filename);} \">Copy</a> | <a href=\"#\" onclick=\"Bin_PostBack('Bin_Editfile','"+Bin_Files.Name+"')\">Edit</a> | <a href='#' onclick=\"var filename=prompt('Please input the new file name(full path):','"+AXSbb.Value.Replace(@"\",@"\\")+Bin_Files.Name.Replace("'","\\'")+"');if(filename){Bin_PostBack('Tlvz"+MVVJ(AXSbb.Value+Bin_Files.Name)+"',filename);} \">Rename</a> | <a href=\"#\" onclick=\"Bin_PostBack('cYAl','"+Bin_Files.Name+"')\">Time</a> ";

00000000601D 00000000601D 0 Bin_H2_Title.InnerText="System Information >>";

00000000604E 00000000604E 0 Bin_H2_Mac.InnerText="MAC Information >>";

00000000607A 00000000607A 0 Bin_H2_Driver.InnerText="Driver Information >>";

000000006129 000000006129 0 yEwc.Append("<li><u>Server Domain : </u>"+Request.ServerVariables["SERVER_NAME"]+"</li>");

000000006185 000000006185 0 yEwc.Append("<li><u>Server Ip : </u>"+Request.ServerVariables["LOCAL_ADDR"]+":"+Request.ServerVariables["SERVER_PORT"]+"</li>");

000000006207 000000006207 0 yEwc.Append("<li><u>Terminal Port : </u>"+IKjwH+"</li>");

000000006242 000000006242 0 yEwc.Append("<li><u>Server OS : </u>"+Environment.OSVersion+"</li>");

000000006289 000000006289 0 yEwc.Append("<<u>Server Software : </u>"+Request.ServerVariables["SERVER_SOFTWARE"]+"</li>");

0000000062EB 0000000062EB 0 yEwc.Append("<li><u>Server UserName : </u>"+Environment.UserName+"</li>");

000000006337 000000006337 0 yEwc.Append("<li><u>Server Time : </u>"+System.DateTime.Now.ToString()+"</li>");

000000006389 000000006389 0 yEwc.Append("<li><u>Server TimeZone : </u>"+cCf("Win32_TimeZone").Rows[0]["Caption"]+"</li>");

00000000640C 00000000640C 0 yEwc.Append("<li><u>Server BIOS : </u>"+BIOS.Rows[0]["Manufacturer"]+" : "+BIOS.Rows[0]["Name"]+"</li>");

000000006477 000000006477 0 yEwc.Append("<li><u>CPU Count : </u>"+cpu.ToString()+"</li>");

0000000064B7 0000000064B7 0 yEwc.Append("<li><u>CPU Version : </u>"+NPPZ+"</li>");

000000006551 000000006551 0 oZnZV+=Int64.Parse(upM.Rows[0]["Capacity"].ToString());

00000000658D 00000000658D 0 yEwc.Append("<li><u>Server upM : </u>"+mTG(oZnZV)+"</li>");

00000000662B 00000000662B 0 hwJeS.Append("<li><u>Server MAC"+i+" : </u>"+dOza.Rows[i]["Caption"]+"</li>");

0000000066AC 0000000066AC 0 hwJeS.Append("<li style=\"list-style:none;\"><u>Address : </u>"+dOza.Rows[i]["MACAddress"]+"</li>");

000000006771 000000006771 0 jXkaE.Append("<li><u class='u1'>Server Driver"+i+" : </u><u class='u2'>"+Driver.Rows[i]["Caption"]+"</u> ");

000000006811 000000006811 0 jXkaE.Append("Path : "+Driver.Rows[i]["PathName"]);

000000006852 000000006852 0 jXkaE.Append("No path information");

00000000687B 00000000687B 0 jXkaE.Append("</li>");

00000001102A 00000001102A 0 <%--PortMap--%>

0000000110E5 0000000110E5 0 <td style="width:20%" align="left">Local Ip : <input class="input" runat="server" id="eEpm" type="text" size="20" value="127.0.0.1"/></td>

000000011171 000000011171 0 <td style="width:20%" align="left">Local Port : <input class="input" runat="server" id="iXdh" type="text" size="20" value="3389"/></td>

0000000111FA 0000000111FA 0 <td style="width:20%" align="left">Remote Ip : <input class="input" runat="server" id="llH" type="text" size="20" value="www.rootkit.net.cn"/></td>

00000001128F 00000001128F 0 <td style="width:20%" align="left">Remote Port : <input class="input" runat="server" id="ZHS" type="text" size="20" value="80"/></td></tr>

Wow. File system manipulation, service/process interaction, a self-kill mechanism, and the ability to launch port scans. Oh, and there is more. I just got tired of pulling strings from the file at that point.

Well, we now have an idea what ASPXSpy does... so why don't we have some fun with dynamic analysis?

First, we will need some sort of a webserver that can power ASP applications. I located a simple, portable solution called CassiniDev. I fired up CassiniDev, pointed it to the directory containing "dusuki.aspx", set the port as 80, and let CassiniDev set a local HOSTS file entry called "aspxspy". Here is our landing page:

Oh no! We need a password to access the application! Let's look at our code again:

public string Password="21232f297a57a5a743894a0e4a801fc3";//admin

Well, sweet, they left the password for us. Except, not really. I tried entering that string, and I was denied access. If we search through the code for other instances of "password", we find the following snippet:

string Jfm=FormsAuthentication.HashPasswordForStoringInConfigFile(HRJ.Text,"MD5").ToLower();

if(Jfm==Password)

Basically, whatever text we enter into the password form is hased with MD5, then stored as the string variable "Jfm". If "Jfm" is equal to "21232f297a57a5a743894a0e4a801fc3", it means we entered the correct password, and thus are granted access to the application.

At this point I could take the time to try to crack the password (which would have been quick with a dictionary attack, seeing as how Google shows us that the password is just "admin" [http://md5cracker.org/decrypted-md5-hash/21232f297a57a5a743894a0e4a801fc3]), but why would I waste my time during dynamic analysis when I could just change the password input code to this instead:

string Jfm="21232f297a57a5a743894a0e4a801fc3";

Now, we just need to enter "21232f297a57a5a743894a0e4a801fc3" into the password form, and we are granted access!

Okay, so let's play around a bit:

So, as you can you see, there is a lot of power behind this simple application. It is definitely not something you want sitting on your server, that much is certain.

Not much else to say about this one. See below for samples. Expect the final part of this post series shortly after the next week's holiday goings-ons.

p16_artifacts.zip

Friday, November 20, 2015

Post #15 (Or... "You're As ColdFusion As Ice!)

WARNING! This blog post contains file names and strings that are offensive and hate-filled. The names of these files and strings were chosen by the attackers, and I in no way find humor in or appreciate them.

Had to wait a little while to finish gathering some information on this, because it was a large endeavor and may end up splitting into 2 or 3 posts.

This particular incident started with our client's hosted mail relay threatening to shut down their access to the relay due to a high volume of spam that was coming from the client's network. The client had a fairly extensive network, so we had to get our hands dirty digging into their environment to track down where the spam was coming from, but we eventually tracked it down to 2 possible servers. I'll offer to you my reasoning for suspecting each server first, and then I will tell you what the actual outcome was.

On the first server we examined, we started in the most obvious place possible; the anti-virus logs. We noted immediately that 2 files had been uploaded to this server at some point in the past, and now they had been sitting in the quarantine for months. Those files were 2 .ASPX files named "dusuki.aspx" and "website.aspx", and they were uploaded to the "C:\inetpub\wwwroot" directory. These 2 files had exactly the same contents, with the exception of "dusuki.aspx" having a small bit of comment added between lines 23-29. Here are the comments I just mentioned, plus a few lines of code just beneath:

/*

Thanks Snailsor,FuYu,BloodSword,Cnqing,

Code by Bin

Make in China

Blog: http://www.rootkit.net.cn

E-mail : master@rootkit.net.cn

*/

public string Password="21232f297a57a5a743894a0e4a801fc3";//admin

public string vbhLn="ASPXSpy";

ASPXSpy (https://github.com/tennc/webshell/blob/master/net-friend/aspx/aspxspy.aspx and https://github.com/tennc/webshell/blob/master/net-friend/aspx/aspxspy.aspx) is a web server backdoor with multiple capabilities such as file upload/download, service/process manipulation, etc. It is unclear exactly how long the ASPXSpy files had been on this server or if it had ever been used, but timestamps on the files indicate that it could have been an unpleasant span of time. This, however, was not the source of our spam problem. Read on for further details!

So, with no evidence that the origin of the spam was the first server, we moved on to our second suspected server. Once again, we started with the anti-virus logs. What we found was both surprising and disturbing. The malware, despite its age, wasn't all detected by anti-virus, as was later discovered by a manual perusal of the file structure. Below is a list of all the files that we turned up on this server:

2T28M.jar

ajewpot.exe

alternate.exe

botsed.exe

build5.exe

data.exe

fud.exe

hopefullythisworks.exe

hosman.exe

jews.exe

jewsaremonsters.exe

jews_did_boston.exe

jusched.exe

lol.vbs

niggersone.exe

py.exe

t.jar

undetected.exe

update.jar

Updater.exe

So, you can see we have a mixture of .EXE files, .JAR files, and a single .VBS file. I am not at all going to go into the details behind these files; I will reserve that for another upcoming post. I will state, however, that these files were not responsible for the spam, and that some of them had even been noted in a previous cleanup attempt by another firm. However, they relied solely on an anti-virus engine to detect the files, which obviously didn't work for all of the files. Take this moment to examine yet another instance of the fact that any signature-based system can completely and utterly fail you, especially if it is your only means of identifying badness.

During my walk of the file system on this server, I encountered 2 directories containing files that looked to be dropped/queued e-mail messages. The directories in question were "C:\ColdFusion7\Mail\Undelivr" and "C:\inetpub\mailroot\Drop", both mail directories for ColdFusion and IIS, respectively. In the ColdFusion directory, we noted files with names such as "Mail558391.cfmail", and in the IIS directory we saw files with names such as "fd2eb58401d0ffec00000003.eml". Let's look at these e-mails, in turn.

First, the ColdFusion mail item:

type: text/html; charset=UTF-8

server: localhost:25

from: iTunesConnect

to: [redacted]@[redacted].fr

subject: [Verification] N°1391717292840

X-Mailer: ColdFusion 8 Application Server

 

body: Chèr(e) client(e),

 

body: Nous vous informons que votre ID arrive a expiration dans moins de 48 heures, 

body: Il est impératif d'effectuer une vérification de vos informations a présent ,sans quoi votre ID sera détruit.

body: Cliquez simplement sur le lien ci-dessous et ouvrez une session a l'aide de votre Apple ID et de votre mot de passe .

 

body: <a href="http://tienda[.]ganasdemalasana[.]com/errors/acceuil[.]html">Vérifiez maintenant</a>

 

body: Pour plus d'informations, consultez la rubrique <a href="">Questions et réponses</a> .

 

body: Merci,

body: L'assistance a la clientéle

And then the IIS SMTP mail item:

x-sender: contact@webmail.outlook.fr

x-receiver: [redacted]

Received: from [redacted] ([127.0.0.1]) by [redacted] with Microsoft SMTPSVC(7.5.7601.17514);

Tue, 6 Oct 2015 00:10:51 -0400

Date: Tue, 6 Oct 2015 00:10:51 -0400 (EDT)

From: LaBanquePostale

To: dé, [redacted]@hotmail.fr

Message-ID: <17499825.167911444104651874.JavaMail.[redacted]$@localhost>

Subject: =?UTF-8?Q?[_NOUVEAU_MAIL_]=E2=80=8F_?=

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit

X-Mailer: ColdFusion 8 Application Server

Return-Path: contact@webmail.outlook.fr

X-OriginalArrivalTime: 06 Oct 2015 04:10:51.0875 (UTC) FILETIME=[FD2DDB30:01D0FFEC]


<table width="680" align="center" cellspacing="0" cellpadding="0" border="0">

<tbody>

<tr>

<td> </td>

<td style="background:rgb(255,255,255);">

<div style="background:rgb(255,255,255);padding:20px 20px 10px;border:1px solid rgb(255,255,255);color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px;">Cher(e)

<strong>Client(e), </strong>


Lors de votre dernier achat , vous avez été averti par un message vous informant de l'obligation d'adhérer à la nouvelle réglementation concernant la fiabilité pour les achats par C.B. sur internet et de la mise en place d'un arrêt pour vos futurs achats.
Or, nous n'avons pas, ce jour, d'adhésion de votre part et nous sommes au regret de vous informer que vous pouvez plus utiliser votre carte sur internet.


<ul><strong>Adhésion : </strong><a href="https://livrefixo[.]com/errors/acceuil[.]html" target="_blank">Faites votre demande d'adhésion en ligne en cliquant ici</a></ul>


Merci de la confiance que vous nous témoignez.

Cordialement,</div>

</td>

<td> </td>

</tr>

</tbody>

</table>

So, in both instances, we have French recipients being directed to visit a URL that ends with "acceuil.html" (hint: "acceuil" translates to "home".) I tried as hard as I could to find either a live instance of this campaign or an archived copy of it, but to no avail. Given the pretext of the e-mails, though, I would guess that credential phishing is likely what was going on here.

Things were fairly simple from here. Turns out, the client was running an extremely old version of ColdFusion and had RDP open to the public Internet for anyone willing to force their way into the box. We ended up shuttering the whole blasted thing until it could be rebuilt in a secure manner.

This is just a friendly reminder to always patch. Patch, patch, patch. Do it.

I will do a deeper dive into the malicious files I found in later blog posts, so keep your eyes peeled!

Thursday, November 12, 2015

Post #14 (Or... "I've been EXPOSED!")

Well, looks like the game is up. I've been exposed. Shame on me. Or, at least that is what a would-be blackmailer who sent me an e-mail last week would like me to believe.

Let's step back a bit to the Adult FriendFinder breach about 6 months ago. I had only in the last month began writing this blog, and my honeypot server was in its infant stages. I had signed up for a few dodgy sites using a fake e-mail address, but after the revelation of this breach, I went on a furious rampage of signing up for all the adult, software portal, and gambling websites that I could. One of those sites just so happened to be Ashley Madison which, as we all know, was breached just 2 months later. Within a day after the breach, I had a copy of the data dump and confirmed that my fake e-mail address was present. I then set about filing all of the Ashley Madison e-mail I received into a single folder in that same e-mail address' mailbox. Surprisingly, though, nothing really came of this breach in relation to me... at least until I checked my mailbox last night and found this gem that had been sent to me on 11/05/2015:

From: ritareesokf95@yahoo.com

Subject: You are EXPOSED

Rita Rees shared this with you

Hey!

I would like to tell you that Ashley Madison was recently hacked, and now I have all the information about your online affairs and even the cheatings you did ;) I have located all your social networking and dating website profiles, and using this I am going to send message to all of your friends and family members about this.

Well, for sure, you would feel ashamed if I tell your family members and friends about this, and it would be even more worse, when you meet them face to face. Wondering how to prevent me from doing this? Its simple, you need to send just 2 Bitcoin (i.e Two BTC) to the following Bitcoin address:

1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh

You may be wondering why should you and what will prevent other people from doing the same, in short you can now delete your social and dating accounts. So go ahead and give it a try. Do you think, you can get away so easily? I have already saved a copy of your profiles, pics, chat logs, and even the contact details of your relatives and friends.

To send a Bitcoin, you can use sites like CoinBase. If I do not receive the Bitcoin in the next 48 hours, I am going to contact all of your friends and relatives and post your profiles, pics, etc all ONLINE. Oh! I didnt tell you, that I know where you live and hangout, did I?

Just think if you are in committed relationship how this will affect your social standing amongst your friends, family members and others. Your countdown is started.

Good Luck!

So, Rita Rees has all the information about my online affairs and cheating. She has located my social network and dating website profiles. She has also copied all of my info, including contact information for my friends and family. Oh, and she knows where I live and hang out. She demands that I give her 2 BTC ($327.90 at the time of writing this sentence, according to Preev) within 2 days of receiving this e-mail, or she will leak this information. I am writing this e-mail 5 days past her deadline, so at this point I guess I am out of luck. Or, y'know, I would be, if in fact I had actually done anything other than sign up for the website in the first place. But I am waxing verbose, so let's get technical, shall we?

First, the message headers. They are as such:

x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=

Authentication-Results: hotmail.com; spf=pass (sender IP is 66.196.81.211) smtp.mailfrom=do-not-reply@yahoo.com; dkim=pass header.d=yahoo.com; x-hmca=pass header.id=ritareesokf95@yahoo.com

X-SID-PRA: ritareesokf95@yahoo.com

X-AUTH-Result: PASS

X-SID-Result: PASS

X-Message-Status: n:n

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD00

X-Message-Info: o9rlR4nWDTfJuzYaLPaTp+Fe8KqAd62ORYN1VZClKJ66XksaSChU1LRf6EKHFT0Nv0OYjop2+OLlmWBoQdHmMCfRZEL/VpmEi/HDIVBikjz5e7J//FTzQJwlelaK4CbI6guk7VngWQVBrXhPNN2ngUad8FxdT6HCeFxTPzroR2hgTPma6zWfAJl2sCCXEYNAiLbzH/t6yHsuJluxmFN0V1CZurvy5WQdrXNRIaOPM9oQGy/WEgNA0A==

Received: from BAY004-MC6F34.hotmail.com ([10.148.226.105]) by SNT004-IMC2S16.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);

Thu, 5 Nov 2015 06:02:04 -0800

Received: from n12-vm4.bullet.mail.bf1.yahoo.com ([66.196.81.211]) by BAY004-MC6F34.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);

Thu, 5 Nov 2015 06:01:13 -0800

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1446732069; bh=nNO+9vKC6WpDpXnCnR5GUhXrgbRxYOuTs4LuKaEimf4=; h=Date:To:From:Reply-to:Subject:From:Subject;b=ByH98Z2F/nyf8b98ig+XJe4KHAOgmTGxMom/k1otyfFogfXA9gpdP3pxB/w64ayu1YquSIcplg9GLe2urKITNaLJFG9DCQkqHN5hIp4eMEpHOHkujvXPyuznKNbM2qzhDbqMbevKgvFtjzvyjdWlmRB+6hOgCEtO9bAQ/XDKYrM/x1i3y2yp3lOvs4rGcfftSCvEarV8y+8tFPnncGVk4eWJV4OqCUoz9XEbgTMZfcZDtkxKP1ioDryvBNPHYaSUfYgTHOhVp6mWcvlvh9XmReY+73S9fN7XW/wHz7j5CEBRWDCBxF41Ok2ixF7FWyJf95T+DaaFR6n6mooqA/4kcg==

Received: from [72.30.235.67] by n12.bullet.mail.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000

Received: from [10.193.189.227] by t4.bullet.mail.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000

Date: 05 Nov 2015 14:01:09 +0000

Received: from [127.0.0.1] by ec03.unp.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000

To: ibrahim.jhan@outlook.com

From: "Rita Rees via Yahoo"

Reply-to: ritareesokf95@yahoo.com

Errors-To: refertofriend-error@reply.yahoo.com

Return-path: refertofriend-error@reply.yahoo.com

X-Yahoo-ReturnBounces: 1

MIME-Version: 1.0

Content-Type: text/html; charset="utf-8"

X-Yahoo-Newman-Property: unp_mtf

X-Yahoo-Newman-Id: unp_mtf-d5222634-22d0-45f4-8f5e-15bb3f9a45f7

Subject: You are EXPOSED

Message-ID:

X-OriginalArrivalTime: 05 Nov 2015 14:01:13.0930 (UTC) FILETIME=[6EC302A0:01D117D2]

Nothing exciting here. Someone shared something via Yahoo!'s NNFMP and it eventually landed in my Outlook mailbox. Not really anything of interest to be seen there.

The sender's e-mail address, ritareesokf95@yahoo.com, did not return any Google results, and Maltego (which I have been using a lot lately) also came up with nothing of interest.

The only other piece of data that could be of interest would be the Bitcoin address, 1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh. Blockchain.info lists 10 transactions to this wallet, and the total value of the wallet at the time of this sentence being written is 13.99985327 BTC, or approximately $4,651 according to Preev's current valuing of BTC. Googling that address also led me to a smattering of other posts online that indicate this e-mail has been sent to other people, but from a different sender. People also report in mixed numbers that they didn't even have an Ashley Madison account in the first place. However, we know now that Ashley Madison didn't verify e-mail addresses of new users, so for all we know people signed up on behalf of these unwitting victims.

Well, there isn't any more to offer on this one. Just thought I would get this out there in case people need something to turn up in Google results, and I also got a kick out of it. Took them long enough, though.

Wednesday, November 4, 2015

Post #13 (Or... "All In All...")

Well, everybody, it is finally here!

No, not the latest iPhone.
No, not the latest Galaxy phone.
No, not the season premiere of your favorite television drama.

I am talking about CryptoWall 4.0.

Two days ago, one of our clients was hit with cryptoransomware that seemed similar to CryptoWall, and it claimed to be CryptoWall, but some of the features were not hallmarks of CryptoWall 3.0. However, after working closely with the fantastic folks over at BleepingComputer, it was finally confirmed that this is, in fact, yet another version of one of the most powerful and virulent cryptoransomware families to date.

I am not going to go into analysis here, the BleepingComputer folks handled that splendidly in the above-linked forum thread, but I will mention that I created an interactive batch script that will, in lieu of the helpful file list created in the registry by CryptoWall 3.0 and older, iterate over user-selected drives and scan them for ransom note files, then save the results to the current user's Desktop.

In addition, please review the following characteristics that set this version apart from its predecessors:

• There is no list of files located in the registry any more.
• Now, instead of just encrypting the files, the malware actually completely renames them, extension and all (e.g., “AccountsPayable.XLSX” becomes “h8agj3ajy9s.jms7h”).
• The ransom note files are now named “HELP_YOUR_FILES” instead of “HELP_DECRYPT”.

Here is your download; e-mail me with any suggestions, concerns, or questions. Bear in mind that anti-x vendors may soon start detecting and cleaning the ransom note files, which will render this potentially useless, but I wanted to get this tool out there regardless.

EDIT 11/05/2015-18:37 Eastern: I realized I had linked to the wrong file previously. The download for the batch script utility has been fixed. I have also tested it in an infected sandbox, and the outputted file was clean and extremely useful.

EDIT 11/10/2015-08:51 Eastern: I have had multiple people contact me for a sample of this malware, so I have now added it to the download section as well.

CryptoWall4RansomNoteFinder.zip


CryptoWall4AttachmentPayload.zip