Security Alert: TorrentLocker Spoofs Telia in Ransomware Attack
Don’t be fooled by emails like these
Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and Postnord. And we’ve seen not once, not twice, but tens of times in the past year alone!
And now it’s happening again. This time, cyber criminals are impersonating Telia, a telecom giant with operations in Europe and Asia. Telia has hundreds of millions of customers who could all become targets for this ransomware attack.
Highly targeted campaign using a mix of attack vectors
The Torrentlocker family is well known for its highly targeted spam email campaigns. Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.
In this attack, victims are baited with an invoice which appears to come from Telia, a trusted telecom company. The primary target for the attack is Sweden, but additional campaigns may follow, replicating the same model.
The psychological factor plays a key role in current malware attacks, but it’s only used as a hook. Once the victim triggers the infection, the malicious tech behind it comes into play. Here’s how the attack unfolds.
The spam email used in this attack has the following contents:
From: [spoofed / fake return address]
Subject line: Fwd: [name of recipient] Invoice for Telia
The spam email a single link, which points to a bunch of compromised web pages [sanitized]:
http://bluecrabcharters [.] com.au/1yaI3zFtWAOb/sD5TRZz.php?id=[%navn to receive%] -> http://eok9.teliabills [.] Com / mditqyzo.php? Id = bWF0c0BoZW1wZWwuY29t
When the victim clicks the link, he/she will be redirected to the webpage you can see below, where a Captcha code is displayed. When the victim fills out the code, the TorrentLocker payload will be downloaded from the following servers [sanitized]:
http://tendearteplast [.] com / 1.exe
http://gettingmarried [.] ie / 1.exe
It’s important to know that the payload will be only downloaded once per link and on one condition: that the victim’s IP is from Sweden. If an IP from another country is used, the victim will be redirected to Google. Cyber criminals didn’t overlook a single detail when building this campaign.
The moment the malicious code is run, it will connect to a central C & C server [sanitized]:
manybigtoys [.] Com
It will then register the infected computer and the data harvested from it, which includes certificates from the infected device. A new thing about this attack is that the ransomware will inject itself into the memory of the “explorer.exe” process (child process). It will then drop the main component with an arbitrary filename. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.
Multiple subdomains are used as part of the infection chain, the same as in previous ransomware campaigns [sanitized]:
https://pvebubadan.manybigtoys [.] com / topic.php
https://ucat.manybigtoys [.] com / topic.php
https://urile.manybigtoys [.] com / topic.php
The next step is for TorrentLocker to encrypt all the data files available on the local drive and on connected network drives, if there are any. Here is a screenshot of the ransom note which will be displayed once the data encryption phase is completed:
In this attack, TorrentLocker also has the ability to remain dormant. This sleep function helps it avoid sandboxing technologies. Among other things, the ransomware generates a value of “6000” before touching “explorer.exe” or “vssadmin.exe”.
If the victim navigates to the indicated website to pay the ransom, the TOR address mentioned in the ransom note will redirect to the same main C & C server mentioned before [sanitized]:
https: // urile[.]manybigtoys.com/help.php?user_code=1op26yr&user_pass=6131
Victims are extorted to pay approximately 1.15 Bitcoins, which is worth around 4099 SEK (441 EUR). There’s a time limit for the payment, which, if surpassed, will double the ransom value.
Almost 2 days after the attack, antivirus detection is still unsatisfactory: 19/57 on VirusTotal.
We can’t emphasize this enough: a backup is the best protection for your data in case of a ransomware attack! Actually, you should have multiple backups. And use this anti-ransomware checklist to see what else you can do to ensure that you’re never hit by encrypting malware.
But in case your system is already infected, know that researchers have released a decryption tool for the TorrentLocker ransomware which you can use to unlock your data for free. Just make sure you read about how the entire process works before actually diving into it.
We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cyber security education and proactive protection.
If you want to read more about TorrentLocker and its abilities, this analysis by Sophos is a great resource.
* This article features cyber intelligence provided by CSIS Security Group researchers.