CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler

April 18, 2016
Kafeine

Overview

Proofpoint researchers recently found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit (EK). Combining our findings with intelligence shared by Frank Ruiz (Fox IT InTELL) lead us to the same conclusion: this project is conducted by the same group that was driving Reveton ransomware operations and is closely tied to Angler/Bedep. Dubbed "CryptXXX", this new ransomware is currently asking a relatively high $500 per computer to unlock encrypted files. Angler is the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant.

Analysis

On April 15, 2016, we spotted an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222.

Figure 1: April 15, 2016 - UK - Redirector to Angler loading Bedep spreading a Ransomware and Dridex 222 among other payloads

 

To alert the victim that they are infected and their files are encrypted, this ransomware creates three types of files, similar to many other types of ransomware (Locky, Teslacrypt, and Cryptowall):

  • de_crypt_readme.bmp
  • de_crypt_readme.txt
  • de_crypt_readme.html

 


Figure 2: Ransomware user notification page

 


Figure 3: Ransomware black wallpaper

 


Figure 4: Payment site, with multi-language support (Languages available: EN, IT, FR, ES, DE, JP, NL, PL, PT, TR, CN)

 


Figure 5: Payment site - Decrypt soft help

 


Figure 6: Ransomware payment site FAQ

 

Initially we could not connect this ransomware to any that we already know, but searching the Internet we found a forum thread [1] where victims first reported infections on the 31st of March. We decided to take a closer look and ran the full chain in a monitored environment:


Figure 7: April 16, 2016 - a chain to CryptXXX

 

The ransomware is being shipped as a DLL dropped by Bedep in folders like those observed below in four separate infections:

  • C:\Users\%Username%\AppData\Local\Temp\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll

  • C:\Users\%Username%\AppData\Local\Temp\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll

  • C:\Users\%Username%\AppData\Local\Temp\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll

  • C:\Users\%Username%\AppData\Local\Temp\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll

 

In real-world conditions, the start of this DLL is randomly delayed (for example, we saw 62 minutes):


Figure 8: CryptXXX launch delay caught by sandbox analysis

 

The main advantage of this delay from a threat actor’s perspective is that the victim won’t be able to easily connect it to the infection vector (that is, to the compromised or malvertised website).

We saw the DLL executed in multiple cases with the entry function ‘Working’, but this will likely change in the future:


Figure 9: CryptXXX start command line

 

The ransomware has anti-VM and anti-analysis functions. In particular, CryptXXX:

  • Checks CPU name in the Registry

  • Installs a hook procedure to monitor for mouse events

When the ransomware actually executes, it encrypts files and adds a .crypt extension to the filename.


Figure 10: Sandbox output showing the most visible action to the victim

 


Figure 11: CryptXXX attempting access to all the possible mounted drives

 

This ransomware is not only encrypting files locally and on all mounted drives; it’s stealing Bitcoins and a large range of other data. We were expecting this because that instance of Bedep has a long history of dropping information stealers in its update stream. Specifically, it dropped Pony from November 2014 until mid-December 2015. It replaced Pony with an undocumented “private stealer” until mid-March 2016. We believe that the information stealing functions in this ransomware are the same as in the “private stealer” distributed by this instance of Bedep.

 


Figure 12: CryptXXX harvesting instant messenger client data

 


Figure 13: CryptXXX harvesting credentials from local FTP client software

 


Figure 14: CryptXXX harvesting information related to installed mail clients

 


Figure 15: CryptXXX collecting browser data

 


Figure 16: CryptXXX stealing cookie data

 

Affiliation

Based on the infection vector and its history, we suspected this new ransomware was directly connected to the Angler/Bedep team. We based the name of this ransomware on two strings found in the unpacked binary:

​Z:\CryptProjectXXX\Loader\InstDecode.pas​
Z:\CryptProjectXXX\Loader\DDetours.pas​ ​

Note, the real name of Angler EK is also XXX [2]. Additionally, the actor behind Angler EK was also behind Cool EK and Reveton [2][3].

Figure 17: Last known design of the Reveton Ransomware, February 2015 [5]

 

There are many similarities between Reveton and CryptXXX. Most notably,

  • Delphi programming language

  • Custom C&C protocol on TCP 443

  • Delayed start 

  • DLL called with a custom entry function

  • dat file dropped in %AllUsersProfile% (For CryptXXX, it looks like code reuse as the file only contains the letter x)

  • Bitcoin and credential stealing functions


Figure 18: CryptXXX check-in caught by sandbox

 


Figure 19: CryptXXX is dropping a .dat file containing only the letter x.

 

Conclusion

Based on threat intelligence shared by Frank Ruiz (Fox IT InTELL) and telltale signs uncovered in our own analysis, we are confident in the connection between CryptXXX and the Reveton Team. Given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread. While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly. Based on the large number of translations available for the payment page, it appears that the Reveton team shares those expectations.

 

Acknowledgement

Thanks to Frank Ruiz from Fox IT InTELL [6] for sharing strong clues confirming the relationship between CryptXXX and Reveton.

 

References

[1] - http://www.bleepingcomputer.com/forums/t/609690/de-crypt-ransomware-support-and-help-topic-crypt-ext-de-crypt-readmehtml

[2] - http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html

[3] - http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/

[4] - http://malwdontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html

[5] - http://malware.dontneedcoffee.com/2015/02/RevetonWinter2015.html

[6] - https://www.fox-it.com/intell/

 

Indicators of Compromise (IOC’s)

IP/Domain

Comment

146.0.42.68

CryptXXX checkin server

rp4roxeuhcf2vgft.onion.to

CryptXXX payment site

rp4roxeuhcf2vgft.onion.cab

CryptXXX payment site

rp4roxeuhcf2vgft.onion.city

CryptXXX payment site

104.193.252.245

Bedep C&C IP

 

 

md5

sha256

Comment

3776ec795ef3aa649ff48fcf83c87713

41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90

Zip archive with most of the mentioned content

17697e1829f0d18d2051a67bc2bca134

ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67

Bedep 1809 first stream dll

CryptXXX

d4439055d2d63e52ffc23c6d24d89194

1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df

Bedep 1809 update stream dll1

3e75e8238a6bbd8817164658696198af

1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df

Bedep 1809 update stream exe2 - Dridex 222

de882c049be133a950b6917562bb2313

e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06

Bedep 1809 update stream dll3

bfb8f7f6cbe24330a310e5c7cbe99ed4

a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05

CryptXXX

0c3431dbb8cd0478250eb4357257880e

565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0

CryptXXX

cd2d085998a289134ffaf27fbdcbc8cb

0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e

CryptXXX

d65f155381d26f8ddfa304c83b1ad95a

eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d

Bedep “Private stealer”

b824d94af0f981106ec2a12d0c4cc1c0

5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd

Bedep “Private stealer”

971c578c9dea43f91bfb44ceac0ee01d

59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa

Bedep Pony “news.php”

(May 2015)

70a377690917a98e6ee682f7941eb565

ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de

Bedep Pony “news.php”

(December 2015)

728733095fe2c66f91a19ebde412dd25

dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3

Reveton - 2015-04-14

 

 

Select ET Signatures that would fire on such traffic:

2819805 || ETPRO TROJAN CryptXXX  Ransomware Checkin

2819806 || ETPRO TROJAN CryptXXX Possible Payment Page

2021418 || ET TROJAN Bedep HTTP POST CnC Beacon

2022467 || ET TROJAN Bedep Connectivity Check M2

2811284 || ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2

2815452 || ETPRO CURRENT_EVENTS Angler EK Landing/RIG EK Landing Dec 23 2015 Common Construct

2815888 || ETPRO CURRENT_EVENTS Possible Angler EK Landing Jan 21 M3

2816926 || ETPRO CURRENT_EVENTS Possible Angler EK Landing URI Struct M5 Apr 06

2816932 || ETPRO CURRENT_EVENTS Angler EK Landing with URI Primer Apr 06

2816933 || ETPRO CURRENT_EVENTS Angler EK Apr 07 2016

2816941 || ETPRO CURRENT_EVENTS Angler EK Flash Exploit URI Struct Apr 07 IE

2819646 || ETPRO CURRENT_EVENTS Angler EK Payload Apr 08 2016