TorrentLocker Ransomware Uses Email Authentication to Refine Spam Runs

In monitoring the ransomware TorrentLocker, we noticed a new development in its arrival vector. In previous entries, we noted that a particular wave of the crypto-ransomware was using spammed messages that were designed to evade spam filters. Our research now shows that TorrentLocker malware are using emails that are designed to pass spam filters and also collect information.

Using SPF to DMARC

Previous spammed messages were authorized by the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF provides a mechanism to allow receivers to check that incoming mail from a domain is being sent from a host authorized by that domain’s owner. The list of authorized IP addresses for a domain is published in the domain’s DNS records.

The new TorrentLocker emails use Domain-based Message Authentication, Reporting and Conformance (DMARC), which is an email acceptance method. DMARC leverages SPF and DKIM, and sends reports to email senders, allowing them to:

• Collect statistics about messages using their domain from DMARC receivers
• See how much of this traffic is passing/failing email authentication checks
• Request that messages using their domain that fail authentication be quarantined or rejected
• Receive data extracted from failed messages such as header information and URIs from the message body, if the receiver provides this service

Using DMARC Reports

The DMARC reports are intended for senders to gain “insight into the operation of your own infrastructure, those operated on your behalf by third parties, and the attacks on your domain or brand by bad actors.” Unfortunately, cybercriminals are using the same reports for gaining insights into the operation of their malicious schemes.

One spam campaign was sent by notice-nsw-gov.net.  We noted that the SPF and DMARC record were as follows:

;; ANSWER SECTION:

notice-nsw-gov.net.     3600    IN      TXT     “v=spf1 ip4:93.189.0.1/16 a mx ~all”

notice-nsw-gov.net.     3600    IN      TXT     “v=DMARC1\; p=reject\; rua=mailto:admin@notice-nsw-gov.net”

It appears that the threat actors are collecting information from “rejected” emails, emails that do not pass the acceptance process performed in spam filters.

Note that each DMARC report contains information such as ISP information, mailbox provider name and contact details, IP addresses, SPF and DKIM authentication results.

For cybercriminals, the information can be used as feedback for their spam runs. If a DMARC report is sent back to a domain owned by cybercriminals, they can check the number of spammed emails that passed SPF and DKIM. The report will indicate which ISPs have considered their emails as “authenticated” and gives the ability to refine future spam runs.

A Persistent Presence

Based on SPN data starting from November 2014, we find that Australia remains the top country affected by this malware, whose family detection is CRYPTED.

Figure 1. Top countries affected by TorrentLocker

Using the number of detections in November 2014 as our baseline, we find that December experienced a noticeable spike. The number of detections dropped in January this year but soon rocketed in mid-February.

Figure 2. TorrentLocker activity since November 2014

Protection Against Spoofed Emails

Techniques like this show that while spam filters can help weed out junk or malicious messages, they aren’t foolproof. Cybercriminals will always try to find ways to bypass or dodge filters or authentication methods.

We advise users to remain cautious when dealing with legitimate-looking emails; they might be well-crafted spoofed emails. Avoid clicking links or opening attachments without confirming the email in question.

With additional insight from Doug Otis.