Researchers spotted a massive ransomware campaign in which the threat actors developed a new intriguing evasion detection technique.
A new and massive ransomware operation dubbed “Operation Kofer” was discovered by a team of Cybereason Labs researchers. This campaign generates new variants of the same malware in order to evade detection and becoming APT-grade in their sophistication. All of the variants were found and compiled during the last couple of weeks, while new ones are generated every few days or even hours. This seems to be a Euro-centric threat as these variants have been mostly seen in Spanish, Polish, Swiss and Turkish organizations
Security experts from Cambridge-based Company found out that each of generated ransomware has a unique characteristic, and therefore, different hash which makes them difficult to detect, but the shared similarities among them can be observed and leads finding a connection between them. These similarities give us enough confidence to believe that they were all created through mixing and matching different components by using an automated algorithm.
A fake icon especially PDF icon and bogus file name were used for all of the analyzed Kofer variants in an effort to deceive the recipient into double-clicking the file delivered to them mostly by email campaigns that target specific organizations or countries.
Some anti-detection techniques are used for higher success of the ransomware variants. Firstly, some of them check whether they are being executed inside a virtual machine and if so, refuse to run. In addition, execution as a child process helps evade detection by some sandboxes. The ransomware payload masquerade as a benign-looking resource that are stored encrypted inside the PE. Finally, the original executable is deleted after it runs.
CryptoWall 3.0 and Crypt0L0cker were detected to be a part of the operation even though there are other suspects. Tor is acquired by some of the variants for C&C communications and to prevent any possibility of file recovery, Shadow Copies on the local machine are destroyed.
“Our best suggestion to minimize the impact of ransomware is to run frequent backups using an external drive and use endpoint monitoring and detection technologies to limit the scope of such attacks.” said Uri Sternfeld, Senior Security Researcher at Cybereason.
Furthermore, all the observed variants look for “C:\myapp.exe,” and if such a file exists, they refuse to run. So one preventive countermeasure is to copy an executable file and rename it to myapp.exe. It’s foreseeable that this behavior will be modified in the future.
As Kofer cannot be detected by signature-detection, it is advised to monitor behavior on the endpoint and compare it to all other behaviors on other endpoints in the organization to find suspicious behavior.
About the Author
Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.