In a span of one to two weeks, three new open sourceransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses.
Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected asRANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery.
One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals—they don’t have to be technically skilled to build their own ransomware from scratch. Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs.
Imitating pop culture and mobile apps
KaoTear (detected as RANSOM_KAOTEAR.A), a Hidden Tear-based ransomware, uses the filename kaoTalk.exe and includes KakaoTalk icon to disguise its malicious nature. KakaoTalk is awidely-used messaging app in South Korea with 49.1 million active users globally.
Figure 1. KaoTear’s ransom note
English translation:
Your files have been encrypted.
Go to the following address:
You can check the information for decryption:
http://{BLOCKED}t225dfs5mom.{BLOCKED}n.city
Go to the site above. TOR browser is required
Another recent Hidden Tear spinoff is POGOTEAR (detected as RANSOM_POGOTEAR.A) that capitalizes on the success of Pokemon Go. It even employs the filename PokemonGo.exe to lure users into thinking that it is a legitimate file.
Figure 2. POGOTEAR’s ransom note bears the image of Pikachu from the gaming app, Pokemon Go.
Here’s a rough translation in English:
Sorry. Encrypting your files have been unintentional. The decoder is send to {BLOCKED} 200 edge following account\n {BLOCKED}@gmail.com.
Figure 3. KaoTear and POGOTEAR have the string “hidden tear” on their form initialization.
On the other hand, FSociety (detected as RANSOM_CRYPTEAR.SMILA) is an EDA2-based ransomware that draws inspiration from the hacker group in the hit TV series, Mr.Robot.
Figure 4. Cybercriminals ride on the popularity of the TV show, Mr. Robot.
A closer look at KaoTear, POGOTEAR, and FSociety
Aside from pop culture references, KaoTear, POGOTEAR, and FSociety have other similarities.
For one, they target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd. Some of these file extensions (such as XML, PHP, and ASPX) are related to web servers.
All three malware also search for SQL and MDB files, which are associated with databases. Based on these target files, it is very likely that businesses are being targeted.
Here are some of the similarities and differences:
| KaoTear | POGOTEAR | FSociety | |
| Extension | 암호화됨 (.encrypted) | .locked | .locked |
| Ransom Note | ReadMe.txt | هام جدا.txt | None |
| Language | Korean | Arabic | English |
| MSIL compiled | Yes | Yes | Yes |
| Encryption Method | AES 256 | AES 256 | AES 256 |
| Propagation Routine | None | Spreads via fixed drives, removable drives, shared folders and mapped network drives | None |
| C&C | None | Connects to hxxp://10[.]25[.]0[.]169 | Sends the key for encrypting files to hxxp://www[.]archem.hol[.]es/savekey[.]php |
POGOTEAR is the only ransomware with propagation mechanism that enables it to spread to removable and mapped network drives. It also creates an administrator-level user that can be hidden from the Windows login screen through this registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionWinlogon\SpecialAccounts\UserList\Hack3r = “0”
With this, cybercriminals can further compromise the infected system and consequently, the network.
We observed that POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server. Since it uses a private IP, the information sent stays within the organization’s network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%. If the said folder is not found, FSociety does not encrypt any files.
The risks of open source ransomware
The creation of open source ransomware for educational purposes has raised security concerns that call for stricter measures in knowledge sharing. In the case of Hidden Tear and EDA2, the cybercriminals used the public source code as a baseline and modified to pursue their own interests.
Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes.
As security researchers, we have to thoroughly assess the possible risks and consequences of creating and distributing educational information. If the sharing of source codes or samples is necessary, it is best to distribute these only to targeted credible recipients through secure channels. Before releasing anything to the public, we need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands.
'malware ' 카테고리의 다른 글
| 페가수스 해킹그룹과 RCS 해킹 그룹 툴 비교 (0) | 2016.09.01 |
|---|---|
| 페가수스 - APT 공격 iOS 기기 분석 (0) | 2016.08.26 |
| 아랍의 인권 운동가에 사용된 아이폰 제로데이 취약점 공격 (0) | 2016.08.26 |
| 공유기 취약점을 이용한 DNS 변조 악성코드 유포 (0) | 2016.08.22 |
| "금융 감독청 '을 가장 국내 8 은행의 인터넷 뱅킹을 노리는'KRBANKER"새로운 수법 (0) | 2016.08.19 |
