CryptoWall ransomware is one of the most popular malware used in the cybercriminal ecosystem for extortions. Ransomware is a specific family of malicious code that lock victims’ resources and demands a ransom to unlock them. CryptoWall is considered particularly aggressive, it uses public-key cryptography to encrypt files with certain extensions.
According the experts of Dell SecureWorks, in August 2014 the number of CryptoWall infections in the previous six months was 600,000, producing gains for $1 million in ransoms, the victims paid a fee ranging from $100 to $500.
The new variant of CryptoWall was improved by cyber criminals that applied the necessary modification to make the agent more resilient to the operation of law enforcement.
Cisco’s Talos Security Intelligence and Research Group has detected a new strain of CryptoWall that exploits the Tor anonymity network to hide its command-and-control infrastructure.
In the analysis published by the Cisco team is reports that the new variant of CryptoWall is able to distinguish between 32- and 64-bit architectures and to execute different versions for each.
“The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper.” states the report.
The ransomware is able to infect both Windows are 64-bit operating systems and also the newer versions of Mac OS X.
The attack chain starts with a phishing mail that includes the CryptoWall variant in a “.zip” attachment. The compressed archive includes an exploit that relies a Microsoft privilege escalation vulnerability (CVE-2013-3660) to compromise the host.
“Cryptowall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660, “Win32k.sys Elevation of Privilege Vulnerability” to achieve the initial privilege escalation on X86 based machines. This exploit works on 32 bit OSs starting beginning with Vista. The dropper even includes a 64-bit DLL that is able to trigger the exploit in all the vulnerable AMD64 Windows Systems.”
This new variant of Cryptowall also implements an anti-VM and anti-emulation checks pass that prevents the execution in a virtualized environment for malware analysis.
CryptoWall implements a multistep decryption, in a first phase it decrypts just a first portion of is code to check if it is running in a virtualized environment, if it passes the check then continues to decrypt itself. According to the Cisco researchers the feature could be exploited to prevent the execution of the malware by adding a fake entries in the file system that indicate a virtual machine is running.
Once infected the machine, the sample analyzed by the researchers communicates with command-and-control servers using the following Tor URLs:
“Using hardcoded IP address in the PE, the malware connects to the TOR Server with an encrypted SSL connection on port 443 or 9090. After successfully connecting, it starts to generate the Cryptowall domain names using a customized Domain Generation Algorithm (DGA). The algorithm is located at offset + 0x2E9FC.”
Tor network allows to route the Internet traffic anonymously through a the anonymizing system that makes it harder to trace.
“Using Tor just makes it harder to identify the command and control on the back end,” said said Talos security research engineer Earl Carter “It’s not obvious it’s command-and-control traffic going across your network. You’ll see Tor traffic, but you can’t get to the underlying information to see the distinction.”
I suggest you to read the report published by Cisco on its blog.
(Security Affairs – ransomware, CryptoWall)