A new and massive ransomware operation dubbed “Operation Kofer” was discovered by a team of Cybereason Labs researchers. This campaign generates new variants of the same malware in order to evade detection and becoming APT-grade in their sophistication. All of the variants were found and compiled during the last couple of weeks, while new ones are generated every few days or even hours. This seems to be a Euro-centric threat as these variants have been mostly seen in Spanish, Polish, Swiss and Turkish organizations
Security experts from Cambridge-based Company found out that each of generated ransomware has a unique characteristic, and therefore, different hash which makes them difficult to detect, but the shared similarities among them can be observed and leads finding a connection between them. These similarities give us enough confidence to believe that they were all created through mixing and matching different components by using an automated algorithm.
A fake icon especially PDF icon and bogus file name were used for all of the analyzed Kofer variants in an effort to deceive the recipient into double-clicking the file delivered to them mostly by email campaigns that target specific organizations or countries.
Some anti-detection techniques are used for higher success of the ransomware variants. Firstly, some of them check whether they are being executed inside a virtual machine and if so, refuse to run. In addition, execution as a child process helps evade detection by some sandboxes. The ransomware payload masquerade as a benign-looking resource that are stored encrypted inside the PE. Finally, the original executable is deleted after it runs.
CryptoWall 3.0 and Crypt0L0cker were detected to be a part of the operation even though there are other suspects. Tor is acquired by some of the variants for C&C communications and to prevent any possibility of file recovery, Shadow Copies on the local machine are destroyed.
“Our best suggestion to minimize the impact of ransomware is to run frequent backups using an external drive and use endpoint monitoring and detection technologies to limit the scope of such attacks.” said Uri Sternfeld, Senior Security Researcher at Cybereason.
Furthermore, all the observed variants look for “C:\myapp.exe,” and if such a file exists, they refuse to run. So one preventive countermeasure is to copy an executable file and rename it to myapp.exe. It’s foreseeable that this behavior will be modified in the future.
As Kofer cannot be detected by signature-detection, it is advised to monitor behavior on the endpoint and compare it to all other behaviors on other endpoints in the organization to find suspicious behavior.
About the Author
Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.
Edited by Pierluigi Paganini
(Security Affairs – Kofer, ransomware)