Nukebot (aka TinyNuke, or NuclearBot) made the news in spring of 2017 when theauthor released the source code in an attempt to restore their/his/her reputation in the cybercrime .... According to IBM, a hacker calling himself “Gosya” tried to sell this malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be sold. A few weeks ago, Juniper Threat Labs started seeing an active attack involving this malware that specifically targets computers in France. The malware arrives as a ZIP file downloaded from malicious links. Inside the ZIP is an executable file that appears to be an installer built from the “Inno Setup” tool. When the malware executes, it drops a legitimate standalone version of Firefox browser in the %TEMP% and %APPDATA% that it uses to load a malicious dll. This dll is dropped in the same directory as firefox.exe, and then loaded by Firefox by taking advantage of a dll-sideloading attack affecting anold version ofthe browser. The dll checks if the system’s UI language or keyboard layout is French before conducting its malicious bidding.
Crypto ransomware seems to be a never-ending threat in today’s cyber world. It’s comparable to the “Kaiju” in the 2013 Hollywood blockbuster, Pacific Rim. One crypto ransomware dies and another is born that has more evolved features. The second half of 2017 witnessed back-to-back outbreaks of Wannacry, Petya, NotPetya and BadRadbbit ransomware.
But, we do not have to rely exclusively on security software to defend ourselves. Sometimes, the software already installed on our systems and proper configuration of our operating system can save the day.
Let’s go through some of the simplest things anyone can do on their Windows PC to prevent or limit the damage of a crypto ransomware attack.
Operating systems and all installed software should be updated on a regular basis. WannaCry and Petya exploited a vulnerability in SMB2 on Windows OS to spread across the network, even though a patch to close that vulnerability was available for months. Many of the ransomware and other malware are downloaded after being successfully exploited using exploit kits. The latest exploit kits like Angler and Neutrino contain exploits for various Adobe flash versions, Sun Java and Internet Explorer. Unpatched software may lead to your computer being compromised.
Most applications have an auto update capability - make sure this is enabled. Alternatively, you can update your applications manually by typing “update” in the Windows search bar and selecting “software update”.
Windows has lot of features. Many of these features are have default settings for a better user interaction . Changing these default settings can sometimes help to elevate security
View File Extension
Ransomware like Locky is distributed through spam emails. To hide the executable, the attachment often has a name similar to “invoice.pdf.exe”. By default, Windows hides the extension of some common file types, so when the victim downloads the executable from the email, it shows as “invoice.pdf” without the .exe extension. You can change this default behavior of folder options to always display file extensions. On Windows 7, you can type “folder options” into the window search option to get the folder option menu and make sure “hide extensions…” is not checked.
All programs run within a certain privilege level, typically the privilege level of the user who started the program. In general, user accounts on a Windows system should not have administrator privileges unless absolutely necessary. This will prevent programs for having access to the entire system should your computer be compromised by malware. You can check and change this setting in the user account type settings page.
user account setting
User Account Control
User Account Control (UAC) is a Windows feature that prevents unauthorized changes to the operating system. It displays a pop-up window asking for permission whenever a new program tries to make changes. You can find the setting for UAC on Windows 7 by going to control panel->system and security->action center->change user control setting.
When the UAC setting is set to "always notify", you will always get a pop-up similar to the one shown in below image whenever a program tries to modify the system settings.Although this may be a bit irritating, it is a useful and preventive feature.
UAC pop up
The Windows Autoplay feature is meant to facilitate the use of removable media by automatically launching the content upon insertion. When the user inserts a detachable drive into the system, Autoplay executes the script called “autorun.inf” present in that drive. A lot of malware and some ransomware are known to misuse this feature to spread from one machine to another.
As a preventive measure, we recommend disabling this feature. To disable, type in "gpedit.msc" and you will see a window for group policy editor. You can browse through Administrative Templates >Windows Components > Autoplay Policies and turn off Autoplay.
Security Software Configuration
Many computers have pre-installed anti-virus software, as well as firewalls. These and other security related features need to be configured properly in order to boost the security posture of the device.
Windows Defender is an antivirus from Microsoft. All versions of Windows since Windows 7 include Windows Defender. Windows Defender should have real-time protection enabled. This feature scans each new file before it is written to the hard drive and hence can prevent infection. Signatures for all antivirus software, including Windows Defender, should be updated regularly and automatically.
windows defender real time protection
Additionally, the entire system should be scanned on a regular basis. The latest version of Windows Defender has an anti-exploitation feature too. Up until the end of 2017, a lot of ransomware was delivered via exploit kits. Microsoft Enhanced Mitigation Experience Toolkit (EMET) is another tool from Microsoft meant to protect against exploitation. It has the Data Execution Prevention (DEP) capability, Address Space Layout Randomization (ASLR), Structured Exception Handler (SEH Protection) and the Anti-Return Oriented Programming (Anti-ROP) feature. Some older versions of Windows lack many of the anti-exploitation features listed above. For those systems, installing EMET can act as an exploit-prevention shield in that case. In 2017, Windows introduced anti-exploitation features in Windows Defender known as Windows Defender Exploit Guard (WDEG). This blog [https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-gu...] talks about the introduction of Windows Defender Exploit Guard (WDEG). Other than EMET, WDEG had inducted a few more features into it. Controlled folder access is one such feature that is meant to protect data from ransomware.
By implementing this recommended configuration, you can significantly reduce the possibility of getting infected by ransomware. Should an infection happen anyway, these recommendations will at least limit the scope of the damage to the local user.
Your average enterprise security team requires access to all traffic in order to provide the secure environment that companies need to safely perform their work. In this environment, traffic information is collected and logged through various devices; a secure web gateway has a log of all the web requests that we make, while a next-generation firewall has app ID logs of all of the apps we use along with the domains and IPs that we connect to.
IOC Hash: Sha256: 8943356b0288b9463e96d6d0f4f24db068ea47617299071e6124028a8160db9c
Files encrypted changed to extension .locked
Files ending with Readme_txt are created containing the Ransom Notes
BitPaymer ransomware was first seen in mid 2017 and was known to infect hospitals and ask for a huge Ransom. Earlier versions of BitPaymer allegedly demanded a whopping amount of 20 to 50 bitcoins, which would approximately amount to a hundred thousand dollars. This means that the ransomware was targeting organizations rather than individuals . Recently, we came across a variant of this ransomware .
Fig: BitPaymer ransom note
BitPaymer uses a unique hiding mechanism that exploits alternate data streams (ADS), a feature of a NTFS file system that allows it to hide itself from plain sight.
Earlier versions of BitPaymer hid their own files by adding themselves to blank files as an ADS. The latest version copies a clean Windows system executable to application data folder and then adds a copy of itself as an ADS stream to that copy of clean executable file . This can evade security tools that are not able to look into ADS. The file name of the copy of the clean executable is usually 8 character with “~1” at the end ie .”SOWI3D~1”. In this version of BitPaymer, , the name of the ADS is “:bin”, while versions of the malware is “:exe” .So, the file name in this case is ”SOWI3D~1:bin”, where bin is the copy of the malware hidden as an ADS . You can only see “SOWI3D~1” as the file name when using Windows Explorer or file browsing tools like Far Manager.
After adding itself as an ADS to the copy of the clean Windows system executable, the malware launches the copied executable.
Fig: process created from ADS
The ransomware also tries to delete backup files like other ransomware. Most ransomware is known to use only VSSAdmin to delete the shadow copies but this one also seems to use “diskshadow.exe”.(note: shadow copies are used for the purpose of backup). The malware then executes the following commands to delete backups.
During the early weeks of February 2018, Juniper Threat Labs detected several malicious email campaigns involving a malicious MS Office file. The file attachment is an RTF file that includes an exploit. As we discovered, the RTF is exploiting CVE 2017-8570. This exploit is related to CVE-2017-0199, but a little less popular. Back in April 2017, CVE-2017-0199, considered a zero-day attack, was actively exploited in the wild. In an attack scenario, Microsoft Office documents can be embedded with OLE objects such as “EXE, VBS, JS, ZIP, HTA, SCT, etc.”
On January 19, 2018, Juniper Threat Labs detected a Gootkit banking trojan at one of our customers sites. The file was hosted on a compromised golfing site, namely “carolinalakesgc[.]com”. This malware uses some unique anti-analysis and anti-sandboxing tricks. It also employs a new persistence method taking advantage of the Pending GPO feature. The malware spawns a suspended mstsc.exe (Remote Desktop Process) and injects itself into it. Before installing itself into the system, it performs several checks related to sandboxes and tools associated with malware analysis.