Security Alert: Global “Get Your Cryptolocker as a Package” Attack Goes On
Why you should never click a link in an email without thinking twice
It’s a regular day and you’re busy at work, scrolling through emails and trying to figure out which to answer first. You notice one email from the post office and immediately click on it to see what it’s about: the postman didn’t find you home, so you have to go to the post office yourself to get your package.
But there’s a catch.
Once you click on the link in the email, you’ll be redirected to a website that automatically downloads an executable file. In just a few seconds, your hard drive and all the data on it will be encrypted and a message will pop up asking for a hefty ransom if you ever want to regain control of your PC again.
Verdict: you’ve just become a victim of a Cryptoware attack!
Why the post office emails scam still works
Cyber criminals have been deceiving unsuspecting Internet users for a few years by using the post office emails scam. People fall for it, because the post office is one of the most familiar institutions for them, which they trust. They never give it a second thought before clicking on a link in that email and they never check the sender’s email address. These are fundamental mistakes that cyber criminals are aware of and take advantage of consistently.
Attackers are smart about it too: the spam campaigns that infect users around the world with Cryptoware are localized, meaning they only target users in a specific country at a time, and the emails are translated correctly and use the right visual elements to trigger instant action from the recipients.
More than a few countries have already been hit, mostly developed countries, because cyber criminals know that, in order to get a high return on investment on their attacks, they must aim for rich victims who can afford to pay the ransom and who store important data on their PCs.
The UK followed suit at the beginning of 2014, with people falling for the fake Royal Mail scam.
A different version of the same scam, where attackers posed as both energy service providers and postal delivery services tried to compromise PPCs belonging to Internet users’ across Europe (Italy and Norway were the main targets).
Now Denmark has become their newest target and we have all the details about the attack.
Denmark – the latest victim cyber criminals set their eyes on
The latest Cryptolocker campaign our team has identified brought out this old favorite among the vast array of tactics that cyber criminals use.
Unsuspecting users from all over Denmark received emails pretending to be delivered by Post Denmark or PostNord which hosted malicious code that was identified as Cryptolocker2. This strain of Cryptoware uses the same infrastructure also observed in Zeus GameOver and Shylock, the notorious banking malware, part of The Top 10 Most Dangerous Malware That Can Empty Your Bank Account.
The attackers behind this scam have refined their tactics to keep their anonymity by using multiple hosting providers around Europe to hide their traffic. A DGA (Domain Generation Algorithm) is also employed for the same purpose.
This new strain of ransomware even has its own name on the dark web: “crypt0l0cker“.
Cryptolocker2 (aka crypt0l0cker) has its own set of evasion tactics that it uses in order to trick traditional antivirus products into not detecting it. These include new ways to avoid anti-debugging and sandbox actions, but also a new right-escalation method to force access to legitimate windows processes through injection.
In the malicious email there is a link that, if clicked, will redirect users to a web page that will download the following:
forsendelse.zip -> forsendelse.exe
The infection chain will then adopt the following path:
http://dshome.ru/cLkKV6jnihC5g.php?id=(email address of the recipient)
(1) -> postdanmark-portal.com -> forsendelse.zip
(2) -> sync.security.pp.regruhosting.ru
If the downloaded file is opened by an unknowing user, the Cryptoware “crypt0l0cker” will be dropped on the PC, where it will infect itself in several processes, continuing the infection by encrypting all of the locally stored data, as well as the data available in network-connected devices.
Trying to reproduce the infection process will only redirect to Google by using a complex referral process, which is another dodgy way to avoid detection or reverse-engineering.
The malicious binary code will copy itself to the Windows folder with a randomly selected filename (for example: “Ksdfsdlp.exe”) and then it will try to connect to a server in Russia with the following IP address (sanitized by Heimdal Security): 109 120 [.] 155,159. Cryptolocker2 does this by injecting itself in the explorer.exe process. The malicious server is translated via DNS from the following domains:
ejkoesc [.] net
oroxwey [.] com
mqweodhy [.] com
Loss of data and massive disruption happen as a result of this attack. All the data on the victim’s PC will be added the “.encrypted” file extension, and a “HOW_TO_RECOVER_FILES.html” file will be created on the desktop. The victim will find instructions for payment in it, detailing how the user can regain access to their data which is now being held for ransom.
The malicious code will not stop here, but will continue to make sure that a restart will not disable the ransomware infection by running the following value:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows CurrentVersion \ \ Run agukelub
Moreover, this strain of Cryptolocker2 will also disable various anti-phishing filters such as:
HKEY_USERS \ Software \ Microsoft \ Internet Explorer \ Phishing Filter Disabled
Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.
UPDATE [September 24 2015]:
The Heimdal Security team has collected and analyzed the data behind another spam campaign that pretends to be from Post Denmark. While this new spam campaign is similar in contents with the one we reported 3 days ago, several things have changed.
The malicious emails inform the recipients that there is package waiting for them and that they can find out more details by clicking on a link in the infected email.
Upon clicking that link, the victim will be directed to the following domain (sanitized by Heimdal Security): mail Denmark-portal24 [.] com
As shown in the screenshot below, the website will automatically trigger the download of a file named “forsendelse.zip -> forsendelse.exe (in Swedish “Forsandelse.exe “).
The junk email that targeted victims receive uses a server for a stopover which, in this case, is a server hosted in Russia. Heimdal Security recommends blocking access to the IP address (sanitized by Heimdal Security): 37.140 [.] 192,106.
In the past four days, our team has blocked over 1000 questionable and harmful websites that are hosted on that particular server.
The spam email targeting Internet users in the Scandinavian region points to the malicious server though a series of domains, such as (sanitized by Heimdal Security):
http://perevozki [.] org
http://mycolledge [.] org
It’s important to know that this spam campaign is directed towards Scandinavia and the malicious emails and infected websites are translated into the language of each country that is targeted. There are other domains north of Norway and Sweden where the bait is the same: an email from the local post office.
The malicious code infects the victim’s PC with the notorious Cryptolocker2, described above. Asides from encrypting data both locally and on shared network resources, Cryptolocker2 also removes the local shadow copy.
This particular strain of Cryptolocker2 contains more malicious features as well: on top of encrypting the user’s data and keeping it for ransom, it will also enroll the victim’s PC in a botnet, to send all the data about the infection. This data includes, but is not limited to: “Computer Name”, “IP address”, “installation time” and “BOTid”.
In the last part of the infection, Cryptolocker2 opens an ONION link to Tor, in order to retrieve the instructions on how to pay to recover the kidnapped data.
Please note that the Heimdal Security team has categorized this as a HIGH THREAT. We have made this decision because of the malicious payload’s behavior and because antivirus detection is so low, no matter how many days have passed since we announced the campaign.
Click here for the full list of detection rates at the moment when the campaign was discovered.
UPDATE [October 2 2015]:
The attackers behind this scam are continuously modifying their tactics to make their malicious campaign more effective. One of the most important updates is that cyber criminals are currently using Cryptolocker2 to also harvests email addresses from the infected PCs and send the data to a central C & C server. Here are the latest developments:
The malicious actors behind the campaign continue to apply a stopover station, which then moves the traffic to the domains already mentioned above. Here is an overview of the infection chain (sanitized by Heimdal Security):
http://ok-businessgroup [.] ru / qsDEIPXUgOd.php? id = firstname.lastname@example.org
-> http://postdanmarkportal24 [.] Com / frpv719.php? Id = cGtyQGNzaXMuZGs =
-> Downloader.disk.yandex [.] Com -> forsendelse.zip
The malicious zip file contains the executable “forsendelse.exe” (MD5 hash: b57086fc40d8a788eab060dcb2aaa4e8), which has a disappointing 1/57 antivirus detection rate on VirusTotal.
Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.
Once activated, this variant of Cryptolocker2 (crypt0l0cker) will copy itself to the system and will inject itself in the explorer.exe process. In the next stage it will delete shadow copies and encrypt all the data files available on the local disk and all connected network drives.
As previously stated, Cryptolocker2 also contains a C & C mode, which calls back to one or more domains which will enlist the infected machine into a central botnet, while also seizing various details about the machine. In this case, the domain (sanitized by Heimdal Security) is:
lgowkoter [.] Com translated to the IP address 188.225 [.] 72.25.
All kidnapped data will be added the “.encrypted” file extension. At the same time, Cryptolocker2 will create the “HOW_TO_RECOVER_FILES.html” file on the desktop. This file contains instructions on how to pay the ransom in order to regain access to data. This is done through an onion link via Tor. The web page in question reveals that more than 7,000 have already been infected by this malware from the first campaigns that started a few weeks ago.
Cryptolocker2 harvesting e-mail addresses
There is another dangerous development that has recently become part of the story. A technical analysis of the binary specific to these spam campaigns reveals that the latest version of the cryp0l0cker ransomware has added new functionality: the ability to harvest email addresses from the infected machine and send them to a central C & C server.
When “Cryptolocker2” (crypt0l0cker) is activated on a Windows system, it will drop onto the local hard drive (Windows folder), and inject itself in explorer.exe process. From there, it will harvest data from any webmail account on the infected PC, including Hotmail.com, Yahoo.com and all contacts on the local hard drive. This is a new functionality which will probably be used to distribute future versions of crypt0l0cker.
Compared to data harvesting from webmail, we can see that the code injecting itself in the explorer.exe process and then connecting to Hotmail and Yahoo Mail. The following step is to synchronize directories. Here is a helpful example:
“Connecting to Hotmail server … Synchronizing contacts. % ld remaining ”
The e-mail addresses harvesting process is carried out by following the local paths where you would normally find relevant data:
C: \ Users \ [% user account%] \ AppData \ Local \ Microsoft \ Windows Mail account
C: \ Users \ [% user account%] \ AppData \ Local \ Microsoft \ Windows Mail
If the malicious code cannot locate Outlook when running, it will produce a dialog box with an error message:
The harvested data is then transmitted to the central C & C server with an HTTPS POST request.
Along with this newly added data collection functionality, we can expect to see even more and increasingly aggressive spam campaigns in the future.
UPDATE [October 8 2015]:
The Heimdal Security team has collected new domains to be used in a future spam campaign related to Cryptolocker2.
We assume that the same Post Denmark / PostNord bait will used for future campaigns, but the content of these spam emails may of course change.
The new domains that have been created and are ready to be used, are as follows (sanitized by Heimdal Security):
mail Denmark-private [.] com
mail Denmark-private [.] net
The binary code that comes from these servers is part of a new ransomware in the Cryptolocker2 class. However, this strain has also been expanded with new, information-gathering functions.
The new variant communicates with the following C & C server domain (saniteret of Heimdal Security): oeofobker [.] Com.
UPDATE [October 13 2015]: New spam wave sent to over 300.000 potential victims
Heimdal Security had identified yet another spam wave related to this ongoing Post Denmark / PostNord campaign, which has started rolling out since last evening.
The bait is virtually identical to previous campaigns presented above, but there is something new about it: a series of compromised websites are being used to deliver malicious code as opposed to a few dedicated domains as we’ve observed in previous campaigns.
As previously presented, victims are lured in with an email announcing that they’ve received a package from PostNord / Post Denmark. The junk email features a link that points to several compromised web pages. These pages deliver malicious code via a Russian cloud provider.
Here is what the fake post office web page looks like, where the victim is tricked into entering a security code for verification, which will trigger the Cryptolocker2 code to be downloaded.
The binary code is almost identical to previous campaigns: it still has the ability to gather information about the system it compromises. However, it is likely that the code will soon be split into two components: the loader and the main component, because there are several things that indicate this scenario.
This spam campaign is very strong and has been sent to more than 300.000 email addresses ending in .com, which have been collected for the purpose of this campaign.
Please follow the recommendations below to keep safe from this threat.
UPDATE [November 11 2015]: Sweden in the crosshairs
The cyber criminals behind Cryptolocker2 are at it again. They recently launched a second spam wave targeting Sweden, but it’s only a matter of time until they localize the attack for other countries as well.
The unwanted email arrives with the following contents:
From: [spoofed / fake return address]
Subject Line: Paket Interest has levererats
Here are the contents of the email:
The email says that PostNord tried to deliver a package, but the recipient was not home, so he/she should click on a link to get more details on how to get the package.
That link, which the victim is instructed to click, points to several compromised web pages (including the selection below):
http://bons-plans-etudiant [.] fr
http://internetbussines [.] ru
From these domains, a binary file is downloaded (the payload) which is part of the Cryptolocker2 class. The payload then harvests sensitive information about the system it infected and then connects to a series of C&C servers to send the data to the attackers. Additionally, the payload also enlists the compromised computer in a botnet, which also comprises of the domains listed below:
sjykibxmzut [.] com
avtoblogi [.] info
mialazyhlex [.] com
vibktsvud [.] com
jcstaezip [.] com
zwiucmv [.] com
The victim’s data is fully encrypted and the attackers expect a ransom to be paid before they share the decryption key (if ever).
Antivirus detection for this campaign is, again, very low.
How to get protected from Cryptolocker2
Without having any or little basic knowledge about cyber security, home users and even users in companies of all sizes are sitting ducks for cyber criminals. That’s why education is so important when it comes to online threats (and many other dangers), a need that will only continue to increase as time goes by.
There are a few important security provisions to take in order to prevent a Cryptolocker2 infection, and the keywords are simple:
- Install the latest software updates
- Use a reliable antivirus product and other security tools that can protect you with multiple layers
- Employ a specialized tool against financial stealing malware and ransomware threats that can detect and block attacks like the one involving Cryptolocker2, which traditional antivirus has a very difficult time detecting
- Keep constant back-ups of your data in at least 2 different places (in the cloud and on an external hard drive)
- DO NOT CLICK in emails from unknown senders (caps intended here) and verify the sender before clicking on links sent by seemingly familiar senders
- Learn how to detect cyber threats and how to protect yourself from them.
For a more comprehensive security guide against ransomware, with free resources and guidance, download the dedicated PDF.
There are too many Internet users who are unaware of the dangers of Cryptoware and that’s exactly what makes it so dangerous. There’s no telling what country cyber criminals will set their eyes next, but it could be yours, so you need to be prepared to handle a cyber attack, not just in terms of tools, but also in terms of knowledge (that will help you choose the right tools and course of action).
The Cryptoware problem is beginning to be more and more prominent all over the world, usually bringing about dire consequences for those who are not prepared to defend themselves or who do not employ the best practices when it comes to personal or corporate data management.
So if you found this article useful, share it with someone who you believe would benefit from it. It’s not too late to protect yourself and those you love.