Ransomware Leads in Growth and Impact While Hackers Remain Committed to Data Theft

PhishMe’s 2016 Malware Year in Review analysis shows fast growth of Ransomware while hackers continue to quietly attempt to steal data

LEESBURG, VA – March 14, 2017: PhishMe Inc., the leading provider of human phishing defense solutions, today released findings showing that while Ransomware delivered the greatest impact and growth in 2016, threat actors continue to attempt data breaches and theft.

PhishMe Wins Four 2017 Info Security Products Guide Global Excellence Awards®

PhishMe Wins for Best Security Service, Best Deployment in the U.S. and Top CEO and CTO Categories

LEESBURG, VA – March 3rd, 2017PhishMe, the leading provider of human-phishing defense solutions, was recently honored with four 2017 Info Security Products Guide Global Excellence Awards®, winning in every category in which it was a finalist. These prestigious global awards, put on by the industry’s leading information security research and advisory guide, recognize security and IT vendors with advanced, ground-breaking products and solutions that help set the bar higher for others in all areas of security and technologies. More than 40 judges from a broad spectrum of industry voices from around the world weighed the nominations, and their average scores determined the 2017 Global Excellence Awards finalists and winners. 

PhishMe Triage Integrates with Palo Alto Networks WildFire Cloud to Combat Phishing

Integration Pairs Efficient and Expedient Phishing Incident Response with Integrated Threat Analysis and Prevention

PhishMe® and Palo Alto Networks® technologies equip security teams with enhanced protection against phishing threats.

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. PhishMe Triage™ ingests employee-reported suspicious email – allowing security teams to quickly assess and respond to threats. PhishMe Triage now integrates with Palo Alto Networks WildFire™ cloud-based threat analysis and prevention capabilities to provide an even more formidable approach to identifying and preventing potentially damaging phishing attacks.

When Phish Swim Through the ‘Net

As attackers continue to innovate, preventing successful execution of email with malicious intent will continue to be a challenge if it makes it to the inbox. Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. A key defensive tactic is to condition employees to identify and report suspicious email to security teams for analysis. Yet, security teams need to be efficient and can’t afford to be bogged down with manual processing and analysis when responding to incidents. High functioning security teams must automate the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Empowered Employees and Technology – Catchin’ Phish!

PhishMe Research has proven that employees who are conditioned to report suspicious email are assets, not liabilities, to the security posture of the business. Reporting suspicious email allows for additional technical and human analysis. Just a single employee reporting a malicious email is enough for security teams using the right resources to identify and disrupt the attacker before they are able to achieve their mission.

That one employee who has received proper conditioning to recognize and report suspicious email serves as an early warning system – tipping off the security team to an anomaly as soon as it hits the inbox!

PhishMe Triage receives reported suspicious email from employees and organizes and analyzes through its own security analytic engine as well as security partner integrations. These integrations allow security leaders to maximize their security technology investments and defenses. Triage identifies what is nefarious, and does it through automation rather than inundating security analysts with more reports to dissect.

Integrated PhishMe Phishing Analysis with Palo Alto Networks

Security teams who aspire to accelerate their phishing analysis can do so with the Palo Alto Networks WildFire API integration with PhishMe Triage. As email is reported to security teams operating PhishMe Triage, Palo Alto Networks WildFire customers can harness the integration capabilities to detect and prevent phishing cyberthreats.

Here’s a sample of how PhishMe and Palo Alto Networks are spotting threats that demand security teams’ attention.

  • The analysis results produced by WildFire are strengthened when PhishMe Triage collects and prioritizes reported phishing attacks from PhishMe Reporter™ and maps useful indicators in the workflow.
  • Customers with a valid WildFire subscription simply enter their API credentials into Triage to enable analysis of file attachments automatically. PhishMe Triage supports customer environments who utilize WildFire in the cloud or an on-premise WF-500 appliance. When configured, these solutions quickly analyze and provide a detailed examination to help security teams determine which threats require immediate attention to remediate or prevent similar attacks.
  • Security teams simply choose the file-types they wish to have automatically analyzed at ingestion. The analysis results are then contained within PhishMe Triage and clustered to allow analysts to swiftly respond to the most critical.
  • PhishMe Triage scrutinizes suspicious email at ingestion and uses the WildFire API to send the file(s) to determine their cyberthreat verdict. Quickly, the analyst receives integration results back into PhishMe Triage with summary detail and a thorough human-readable report illustrating the threat’s characteristics.
  • With PhishMe Triage rule matching, reputation of the employee reporting, threat intelligence, and combined threat analysis from the WildFire cloud, analysts will be confident in their response and automation workflow action. Security teams can manually or programmatically categorize the threat to follow a workflow involving support for leading SIEM providers.

More about WildFire:

Palo Alto Networks WildFire™ cloud-based threat analysis and prevention service analyzes files and links and designates never-before-seen items for further investigation using static and dynamic analysis over multiple operating systems and application versions. If a sample is categorized as malicious, WildFire will automatically generate and populate a holistic set of new preventions to the Palo Alto Networks Next-Generation Security Platform and integration partners, minimizing the risk of infection from both known and unknown threats without any additional, manual action. WildFire correlates global, community-driven threat intelligence from multiple sources across networks, endpoints and clouds to immediately halt threats from spreading. WildFire’s architecture provides granular controls over what data will be submitted for analysis. Elements like file type and session data, as well as choosing the data path and regional WildFire cloud where the analysis and data storage will take place, are all configurable.

 

To learn more about the Palo Alto Networks Next-Generation Security Platform and WildFire, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform.

To learn more about the PhishMe Triage, visit: http://phishme.com/product-services/triage.

For more information, download the full solution brief.

The Rise of RaaS: Satan

RaaS, or Ransomware as a Service, enables threat actors that lack the skillset to write their own malware the capacity to infect people’s computers with ransomware through a service, holding the victims’ files hostage for Bitcoin payments. One of the latest RaaS offerings is Satan, a ransomware variant that is easily accessible on a hidden website when browsing with the TOR browser. The website allows anyone to create a ransomware sample which in turn takes a cut of the ransom proceeds from its victims’ payments.

Builder

The TOR hidden service website allows for anyone to create a Satan loader sample after registering for a free account. The front page encourages visitors to register accounts, create a new virus and download it. Although the site handles the building of the initial ransomware loader, it is up for the RaaS user to distribute the malware. Bitcoin payments made by victims are then credited to the RaaS user’s account and the service takes a thirty percent cut for facilitating this cybercrime. The website requires the user to correctly solve CAPTCHAs for any form submitted as a precaution against automated web vulnerability scanners. Below is a screenshot of the front that explains how the service functions:

Dropper

Although the RaaS requires its users to distribute the malware themselves, it also provides a dropper service to assist the user in the initial infection process. By utilizing a dropper, malware actors are able to bypass antivirus email scanners by creating malicious CHM or Office documents that download the ransomware loader once these files are opened by a duped victim who perceived these email attachments to be legit. This dropper service contains helper scripts, pictured below, that encrypt the ransomware loaders with a static XOR key, further bypassing virus detection if the system is solely looking for executables in network traffic. The RaaS user is also able to enter a URL where they host the encrypted ransomware loader that the generated droppers will download, decrypt, and execute the ransomware loader.

Once this information is entered, the user is then able to copy & paste either a CHM (Windows executable help file) or a malicious DOC macro. Although these malicious scripts are not obfuscated, they still have relatively low AV detection.

Per the instructions provided by the dropper service, the CHM generator creates an HTML file which can then be compiled to the Windows executable CHM file using the chmProcessor application, pictured below. The generated HTML file spawns a command shell and executes PowerShell to download, decrypt and execute the ransomware payload.

The generated, executable CHM file only had a detection with one of the fifty-four scanning engines in Virus Total when we tested this dropper method in lab. It would appear that script obfuscation is not required to bypass antivirus defenses for these initial, malicious droppers.

Loader Analysis

The Satan RaaS malware employs a number of anti-analysis techniques in order to prevent automated or manual analysis of a sample. A review of the malware Hash:  b70622bf5192b5a254932451814cc4a1 Version:  1.0.0.13 shows ~20 different checks which are done in order for the malware to continue running and unpack the payload.

Cylance has already done  a great analysis which covers the majority of these techniques, so this report doesn’t review all of them in detail won’t review all of them in detail.

  1. Calls BlockInput to block user interaction with the system
  2. Checks for known AVG modules
  3. Checks for a known Debugger windows using FindWindow
  4. Checks for KernelDebugger

The malware uses an interesting trick where it loads the KdDebuggerEnabled field directly and compare the value.

  1. Check for attached debuggers calling Checks for a debugger calling isDebuggerPresent and CheckRemoteDebuggerPresent
  2. Check for a blacklisted analysis modules by calling the GetModuleHandle
  3. Check for blacklisted analysis Processes by calling FindWindow
  4. Check if the method wine_get_unix_file_name is exported by kernel32.dll to detect the presence of wine
  5. Call NTClose and CloseHandle with Invalid handles as an anti-debugging method.
  6. Create a VEH handler and calls int 3 as an anti-debugging method.
  7. Hooking Check

It checks for possible Jump hooks (0xff, 0x25) or (0xe9) in CreateProcess, DeleteFile, ldrLoadDll & NTQueryInformationProcess functions.

  1. Debugger Check with csrss handle

The process attempts to open a handle to csrss.exe to detect the presence of a debugger. If the request succeeds and a valid handle is opened this can indicate that a debugger is actively running on the system or that the user has sufficient access to debug a system process.

  1. Create top level exception handler and trigger by popping a divide by 0 exception as an anti-debugging technique
  2. Check the OS Version to determine if the sample should run. (No XP support)
  3. Call NTQueryInformationProcess

The sample makes a number of calls to determine if the process is being debugged, by checking the ProcessDebugPort, ProcessDebugObjectHandle & ProcessDebugFlags.

And an additional check for the process devenv.exe the name commonly associated with Visual Studio.

  1. Check for HW BreakPoints

The Process will check for hardware breakpoints by getting the thread context by calling GetThreadContext and then checking the context debug registers.

  1. Check that the filename does not include a blacklisted term
  2. Check that the username doesn’t contain a blacklisted term
  3. Check that the path does not contain a blacklisted term.

Although the loader includes so many anti-analysis techniques they are all contained within a single function call, which makes it easy to bypass all of the techniques with a single hop.


The number of implemented checks and techniques indicate that many of these may have been copied from OSS projects and added to the list of anti-analysis checks. The two main projects with either similar or identical checks are:

  • al-khaser – “PoC malware with good intentions that aims to stress your anti-malware system..”
  • Pafish – “A demonstration tool that employs several techniques to detect sandboxes and virtualization environments..”

For example pulling the list of blacklisted processes, we find the same list within the al-kahser source file process.cpp.

Or the blacklisted user and directory names as found in the pafish project file gensandbox.c:

Additionally, the inclusion of checking for the “devenv.exe” process in relation to checking the ProcessDebug flags can be found to within sample code on anti-debugging and protection techniques. https://www.codeproject.com/Articles/1090943/Anti-Debug-Protection-Techniques-Implementation-an.

Looking at a previous version of the ransomware (v1.0.0.1) we see that the anti-analysis checks have been evolving. Within this older sample (hash) we find several checks for virtualization artifacts that no longer exist within the newer version of the loader.

For example the registry and process checks for virtualization artifacts.


Or the inspection of the physical drive to ensure that the user can obtain an valid handle and that the disk size is > 50G.


The removal of some of these checks could indicate that the author(s) have found some issues with the checks or found them to be ineffective. Since many these anti-analysis checks appear to be copied from OSS projects we can assume that new techniques are likely to be added as the ransomware evolves.

Payload

After the anti-analysis checks are passed, the sample spawns a child process of itself and uses Process Hollowing to write the unpacked executable into the spawned process.

This follows the standard Process Holllowing technique of:

Once the injected process is launched the parent loader process exits.

The injected process then melts a modified version of the loader into the directory:

%appdata%/<generated_dir_name>/<generated_file_name>.exe

and creates an entry within the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence. In previous versions of the loader this would also include the –t switch, but this option is no long available within the new analyzed version 1.0.0.13.

The malware then executes the melted version which drops and runs a batch script in %temp% to delete the initial loader executable and script files.

Target Files

An initial analysis of the payload shows that over 375 file types are targeted for encryption. Once the file is encrypted it is renamed and the extension is replaced with ‘.stn’

One interesting feature of the payload observed during the initial analysis was the support of a couple of command line switches (-i and -r)

Analyzing the -i path produces a debug window which includes what appears to be the payload version (1.00.13) and the uinque id assigned at the time of download. This Id can be seen within the download ULR of a generated sample satan6dll23napb5[.]onion/malwares/{uniquie_id}

Conclusion

We can see that the Custom Loader used by the ransomware continues to evolve as the author(s) add and remove functionality. As the ransomware uses a custom loader it can be used to identify and cluster samples. This is uncommon with most malware so we would expect that another stage would be added to the execution chain by actors using this:

  • Stage_1 (generic packer) à Stage_2 (custom loader à Stage 3 (payload)

This would make it much more difficult to statically cluster samples as the initial executable file wouldn’t exhibit any identifying characteristics. Searching for both artifacts of the dropper scripts a user can generate on the panel and for other loaders, we have been unable to find evidence that this is being used as a payload within any large scale e-mail campaigns. This may be due to any number of factors:

  • The method being used within the infection vector are using obfuscated versions of the provided .chm and macro droppers or writing custom scripts to be used for infection.
  • This is being used in low volume campaigns targeting primarily home users.
  • Potential operators need to share profits (30%) with the original author(s) and also trust that they would get their cut of ransom for targets.
  • Potential operators need to trust the site operators

Reference

AVG Modules

  • avghookx.dll
  • avghooka.dll

Blacklisted Debug Windows

  • OLLYDBG
  • WinDbgFrameClass
  • Zeta Debugger
  • Rock Debugger
  • ObsidianGUI
  • Blacklisted Modules
  • SbieDll.dll
  • dbghelp.dll
  • snxhk.dll
  • api_log.dll
  • dir_watch.dll
  • vmcheck.dll
  • wpespy.dll
  • pstorec.dll

Blacklisted Process Names

  • ollydbg.exe
  • ProcessHacker.exe
  • tcpview.exe
  • autoruns.exe
  • autorunsc.exe
  • filemon.exe
  • Procmon.exe
  • Procexp.exe
  • idaq.exe
  • idaq64.exe
  • ImmunityDebugger.exe
  • WireShark.exe
  • dumpcap.exe
  • HookExplorer.exe
  • ImportRec.exe
  • PeTools.exe
  • LordPE.exe
  • SysInspector.exe
  • Proc_analyzer.exe
  • sysAnalyzer.exe
  • sniff_hit.exe
  • windbg.exe
  • joeboxcontrol.exe
  • joeboxserver.exe

Name Blacklist

  • sample.exe
  • c:\InsideTM
  • Username Blacklist
  • SANDBOX
  • VIRUS
  • MALWARE
  • MALTEST
  • TEQUILABOOMBOOM
  • Directory Blacklist
  • SAMPLE
  • VIRUS
  • SANDBOX