- Jan 24, 2011
- 9,377
- Content source
- http://blogs.cisco.com/security/talos/teslacrypt
After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.
Click for Larger Image
At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.
Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.
We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:
This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.
We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.
Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:
If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.
Read more: http://blogs.cisco.com/security/talos/teslacrypt
Click for Larger Image
At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.
Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.
We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:
- 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- 6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4
- SHA1
- SHA256
- RIPEMD160
- BASE58
- BASE64
This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.
We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.
Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:
If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.
Read more: http://blogs.cisco.com/security/talos/teslacrypt