Triple Threat: QUERVAR, Ransomware, and ZACCESS on the Loose

Three of the most notorious malware families we’ve seen proliferate as of late have now been seen working together in a single attack.

In the past months we saw QUERVAR, ransomware, and SIREFEF/ZACCESS grow rampant in certain regions. QUERVAR was seen widespread in the NABU, EMEA, and ANZ regions, ransomware malware family has been prominent in EMEA, while SIREFEF or ZACCESS has been rampant in NABU.

Now, we’re seeing attacks that involve all three malware families.

After a widespread infection of QUERVAR in August this year, QUERVAR infections totally stopped in the first half of September. However, as shown in the Trend Micro™ Smart Protection Network™ data below, infections returned after a few days.

These are detected as PE_QUEARVAR.A-O, PE_QUEARVAR.B-O, PE_QUEARVAR.C-O, and PE_QUEARVAR.D-O.

Click for larger view

In September 27, we saw a new QUERVAR variant with a new structure, different from the previously detected variants but with the same infection routines. These included infecting .EXE and Microsoft Excel and Word files and then renaming them with a .SCR extension. However, the newer variants came with a new payload: downloading ransomware and ZACCESS variants.

The new QUERVAR variants are detected as PE_QUERVAR.E-O. PE_QUERVAR.E-O accesses the following malicious files below to download ransomware variants detected as TROJ_RANSOM.CMY and HTML_RANSOM.CMY, and the ZACCESS variant TROJ_SIREFEF.SZP.

  • http://{BLOCKED}ewidea1.ru/1.php?000102E0&pin=16FB2534B0B2D6E3
  • http://www.{BLOCKED}coservisi.com/test/php/way.php?000076A8&pin=16FB2534B0B2D6E3
  • http://{BLOCKED}y90.com/c/osnovnoj2.exe?00022F68 – detected as TROJ_RANSOM.CMY
  • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/get.php?id=2 – detected as HTML_RANSOM.CMY
  • http://{BLOCKED}lhgkjl.un {BLOCKED}ilesexchnges.su/landings/first/US/NL_files/buttons.css
  • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/jquery.min.js
  • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/FBI.png
  • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/keyboard.js
  • http://{BLOCKED}lil.ru/33797470/2a06754.50664748/3052832ace10d474336096b36fbd49f05f190.exe?{random characters} – detected as TROJ_SIREFEF.SZP

The ransomware TROJ_RANSOM.CMY hijacks the infected system and displays the image below. It tricks users into thinking that it is a legitimate FBI warning that enforces copyright laws. The ransomware then locks the computer and prevents users from accessing it. The fake FBI warning also tells users that they are under surveillance by displaying the user’s IP address.

Click for larger view

On the other hand, SIREFEF/ZACCESS variants are known rootkit malware, which hides system modifications from users. In particular, the downloaded file (detected as TROJ_SIREFEF.SZP) patches services.exe in both 32bit and 64bit platform to prevent detection. It also disables/terminates Windows Security-related services. This technique is further documented in our previous entry ZACCESS/SIREFEF Arrives with New Infection Technique.

Trend Micro users need not worry as they are protected via the Smart Protection Network™. In particular, file reputation services blocks and deletes related malicious files, while the web reputation services blocks access to the sites where PE_QUERVAR.E-O downloads its malicious payload.

Post from: TrendLabs | Malware Blog – by Trend Micro

Triple Threat: QUERVAR, Ransomware, and ZACCESS on the Loose

Read more: Triple Threat: QUERVAR, Ransomware, and ZACCESS on the Loose

Story added 1. October 2012, content source with full text you can find at link above.