TorrentLocker Ransomware Hits ANZ Region

We recently reported that the EMEA (Europe-Middle East-Africa) region recently experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware.

The Infection Chain

Figure 1. Infection diagram for ANZ attacks

The malware arrives through emails that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) or shipping information from the Australia Post. Once users click the link, they will be redirected to a spoofed page bearing a newly registered domain similar to the official, legitimate one.

The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a hosting site.

If the user opens the zipped file and executes the malware, it connects to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and display a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up.

Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia.

Bitcoin Payments

In order to pay, users need to register a Bitcoin wallet and buy bitcoins from suggested links. Once the payment is done, cybercriminals will transfer the Bitcoin payment from the given Bitcoin address to their official Bitcoin address or they can start a chain of transfers so that they will not be traced by the police. The decryption software will only work to the specified infected machine; it requires the 30 hex block key which is unique for the said infected machine. Otherwise, it will destroy the files.

Users affected by this malware were assigned by code. The format is as follows:

hxxp[:]//{gibberish}.gate2tor.org/buy.php?user_code={xxxxxxx}

As of December 9, spammers have added the password with this sample format:

hxxp[:]//r2bv3u64ytfi2ssf.way2tor.org/buy.php?user_code={xxxxx}&user_pass={xxxx}

These URLs can only accessed through the TOR Network. The domain uses TOR2Web Network Proxy. Using TOR2Web, the user does not need to install Tor Browser for payment. TOR anonymity network is used to hide network traffic. The main purpose is to hide the information that will be used for decrypting the files when a user paid for it.

The ransom page displays a warning that the price will double after 4 days or 96 hours. In Australia, the price is AU$598. However, if users are not located in the ANZ or EMEA regions, a generic webpage will appear written in English, with the ransom in USD.

Figure 2. Sample ransom messages for Australia (top), Spain (middle), and non-ANZ/EMEA country (bottom)

We have identified a possible Bitcoin address of cybercriminals. As of this writing, it has had 1,223 transactions and received a total of 810 BTC from November to December 2014.

Associated Spam Runs

Early November, we noticed an influx of related emails. We saw similarities in the emails, URLs, and files. For example, the URL path bears strings with a common .PHP file name, such as we have seen in the following days:

November 12: NSW emails have links calling the script forums.php
November 16: NSW emails have links calling the script forums.php
November 17: NSW emails have links calling the script forums.php
November 20: NSW emails have links calling the script forums.php
November 24: NSW emails have links calling the script .local.php
November 25: Australia Post emails have links calling the script web.php
November 27: NSW emails have links calling the script themes.php
December 1: NSW emails have links calling the script sysebt.php
December 9: NSW emails have links calling the script sysxen.php
December 10: NSW emails have links calling the script sysadx.php
December 17: NSW emails have links calling the script libsys.php
December 22: NSW emails have links calling the script secbit.php
December 24: NSW emails have links calling the script secbit.php

More than 4,000 URLs were blocked bearing these keywords, with most being compromised sites.

Evasive Maneuvers

In order to increase the chance of delivery by spam filters, these spam runs were being authenticated by the Sender Policy Framework (SPF). For example, in one spam run, the sending domain was send-nsw-gov[.]org, which could pass the SPF check – and thereby increase the chance of delivery by some spam filters.

Figure 3. Spammed messages are receiving a SPF pass

To evade detection from mail scanners that can follow links, the emails require users to visit a web page and enter a CAPTCHA code to download malware from SendSpace.

Figure 4. Sample spoofed page with CAPTCHA code

Tracing the Activity

We found that the spammers are using a premium SendSpace account. Whenever a correct CAPTCHA code is entered, a file is downloaded via different direct download links from SendSpace. They manage to deliver unique links using PHP script. The files downloaded bear keyword like “id_{XXXXXXXXXX}” (where X is numeric) in a zipped format. For example, the spoofed URL hxxp://up-nsw-gov.org/detailed_info.php leads to the following SendSpace links:

hxxps://{BLOCKED}.sendspace.com/dlpro/55d80514c4d20419f547b5bd160ef426/5487c03a/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/85952624fa01ab335913c23c4498f20b/5487c1e8/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/0fb326db3791c23d21898762c9df4b81/5487c214/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/70abb3d3bb12ece9b6b6124f946ae4ea/5487c23a/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/56d96d1b6d2797bed69d2f96ceac2816/5487c2fd/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/5bdee22341c06552d704d0e7cffd0834/5487c31d/vxj0fm/id_50920949811.zip
hxxps:// {BLOCKED}.sendspace.com/dlpro/0ed43ad79aefd484a8d481343fc28c14/5487c53c/vxj0fm/id_50920949811.zip

It’s worth noting that all the links contain the same file name, id_50920949811.zip, which indicates that these were all involved one attack.

As of the writing, we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in Russian name servers, registered to certain email addresses:

91.218.228XXX
193.124.200.13X
193.124.205.18X
193.124.89.10X

The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 46.161.30.17 to 46.161.30.49. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru.

Countermeasures

Attacks involving several components (spam emails, spoofed sites, malware) need multiple layers of defense. Trend Micro’s Email Reputation Service creates heuristic rules which include of identifying spam mails using the sender address.

Web Reputation Service blocks the URLs found in the spammed messages. Typosquatting domains that spoof the official sites of the Australia Post and the NSW government are also blocked. SendSpace links associated with the attacks are also blocked. Both the C&C servers and the IP addresses hosting them are listed and blocked.

TorrentLocker variants in zipped format and executable are detected by Smart Pattern (one-to-many) as TROJ_CRYPTED.SM or TROJ_CRYPTED.SMA.

Users can also refer to our entry, Defending Against CryptoLocker, for preventive measures against TorrentLocker and other crypto-ransomware variants.

We have notified SendSpace of the premium account that is being used by the cybercriminals. The account and the associated file(s) have been deleted and blocked.

More details can be found in the report Australian Web Threat Landscape (2014): Observation of TorrentLocker Attacks.

With additional analysis from Jon Oliver, Adremel Redondo, Nazario Tolentino II, Lala Manly, and Romeo Dela Cruz.

Sample hashes of the files supported by our detections: