Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers! They don’t reinvent the wheel and re-use code published here and there. I spotted a ransomware which looked like an old one.
The following email landed in my mailbox:
Not very well designed, the sender email address is even not spoofed but it made me curious. The delivered message is always the same: to make the victim scary and lure it to click on a link. The “Download” button hides the following URL:
Let’s visit the URL and grab a copy of the WSS.zip archive (SHA256:02629729329cde8d1892afa1d412a75cfcc338826c0b5087a2ef3182b5a1af85). It’s indeed a valid archive:
$ unzip -t WSS.zip Archive: WSS.zip testing: Windows Security Scanner/ OK testing: Windows Security Scanner/desktop.ini OK testing: Windows Security Scanner/Resources/ OK testing: Windows Security Scanner/Resources/32BitRun.exe OK testing: Windows Security Scanner/Resources/Installer_exe.exe OK testing: Windows Security Scanner/Resources/SecurityUpdater.exe.exe OK testing: Windows Security Scanner/Resources/ShortCutVBS.vbs OK testing: Windows Security Scanner/Resources/Temp_Test.tester OK testing: Windows Security Scanner/Resources/Windows.LNK OK testing: Windows Security Scanner/Windows Security Scanner.exe OK No errors detected in compressed data of WSS.zip.
Strings found in the “Windows Security Scanner.exe” PE file reveal immediately the type of malware:
Attention!!! First of all we are terribly sorry to have encrypted your data. Because we are human too and we feel some guilt encrypting your data. We offer that we can help you decrypt it again for a small amount of Bitcoins(BTC). The amount that we need from you is 500 USD that you will transfer to our BTC account. To Get your unique tool to decrypt your files, your need to push the button below and your BTC payment address will show, transfer 500 USD in BTC to that address. After you have transfered the BTC you are going to send an email to our email address(Our email will also get displayed when pushed the button). Where you provide your BTC address of the wallet that you used to send our BTC(If you have other comments, you are welcome to say it)[Also remerber to check your spam inbox for when we send your decryption tool]. We will check it, if you have sent the BTC, you will get your decryption tool. Everything from family memories to the hard work of yours, will be washed down the toilet and it will never return. So it's strongly advised that you start paying us for helping you to decrypt it. In the case that you are a little older and don't know much about all the computer stuff then you can ask your children or grandchildren. PLEASE Look below for additional information. Needing help to get your BTC? Some resources to get started with BTC: https://coinsutra.com/buy-bitcoin-uk/
Hi, This is Lost_Files Ransomware, Pay us 500 USD to get our decryption software. So that you can get your files back. The payment is going to be paid in Bitcoin(BTC). For more information about this please click the same EXE file you clicked when you lost all your files. There will be detailed instruction there. The email is: [email protected] Transfer BTC to this address: 13nRGetwvc7UZF8P5KM9bWqHGK6tMk7wyf
Executed alone, the main binary does not work without the files in the Resources directory. They are also referenced in the code:
Resources ResourcesTemp_Test.tester ResourcesWindows.LNK") ResourcesShortCutVBS.vbs
Its SHA256 is df693cc9d9e89e1db2a8edeaf2e77723e853f363da510a15ade9be79df96dc5e and its compilation time is Sun Sep 29 15:27:35 2019. The current VT score is 30/58. Identified by some AV as “Hidden Tear”. This ransomware is pretty old and has been open-sourced on GitHub a few years ago.
Let’s execute it in a sandbox:
Encrypted files are the following (extracted from the binary):
.xxx .sdf .txt .doc .docx .xls .pdf .zip .rar .css .xlsx
.ppt .pptx .odt .jpg .bmp .png .csv .sql .mdb .php.asp
.aspx .html .xml .psd .bat .mp3 .mp4 .wav .wma.avi .mkv
.mpeg .wmv .mov .jpeg .ogg.TXT .DOC .DOCX .XLS .PDF
.ZIP .RAR .CSS .XLSX .PPT .PPTX .ODT .JPG .BMP.CSV
.SQL .MDB .PHP .ASP .ASPX .HTML .XML .PSD .BAT
.MP3 .MP4 .WAV .WMA .AVI .MKV .MPEG .WMV .MOV
Once processed, files are renamed with the extension ‘.Lost_Files_Encrypt’. Apparently, the ransomware started to scan for SMB services (TCP/445) on random IP addresses after the initial infection. Probably trying to infect host vulnerable to EternalBlue.
I did not find relevant online information about this ransomware. I’ll have a look deeper at the binaries. Did you have something interesting to share about this threat? Please do!
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.