New CryptoLocker Has a Walkabout

May 30, 2014 | by Fred Touchette | AppRiver, CryptoLocker, Cybercrime, Digital Degenerate, Ransomware, securetide

crypto resized 600

Looks like we're seeing a rather small amount of messages this morning appearing to look like utility bills from Energy Australia. The graphics look pretty convincing complete with logo and barcode and a lot of what would appear to be pertinent electricity bill information. Although, there are a couple of immediate give aways that somethings awry when you first glance at this email. The first being that it's addressed to "Dear Valued Customer". I personally have never received a bill that the sender didn't want to include my name on it making sure there was no mistake who needed to cough up the funds. Clue number two is the first of several bullet point notes towards the bottom that reads "Openig Balance", oops. I'm sure this is not this electric company's first time sending out bills, they probably would've noticed and had time to fix their template by now.

Ok, let's look past the email and dig a little deeper. These emails contain a hyperlink that reads "view your bill details" this links not directly to the malware which is usually the scenario, but instead to this page http://energymar.com/data/electricity/view/get/energy.php?eid=294677459546322. This is a landing page and an attempt to thwart automated analysis by giving curious Australian, or just curious in general billpayers a captcha to solve in order to advance.

describe the image

 

After the captcha is solved, another page is presented where the victim is prompted to download their bill.

describe the image

If this link is clicked the victim then receives the malicious package in the form of an executable wrapped in a Zip file. Our sample shows the Zipped hash being: SHA256 019a1188a3a5127241dd08372a52da6fc375405f43b5f601eb77429356e63eaf

and the unzipped executable being: SHA256 6cff103d8d3d168e0124a53f9d780eaf0b073d267b1969d703de1406371ffc38

Utilizing the packer Armadillo the sample scrambles its code in another effort to make analysis difficult. Once executed the executable begins enumerating all running processes on the victim machine and makes multiple copies of itself, new files are run and new registry entries are created. At one point the sample makes a DNS call to the domain royalgourp[dot]org as well. It appears at this point the malware, CryptoLocker begins one of its signature moves and begins encrypting files on the target PC.

I'm still waiting for my lab machine to finish being encrypted so that I may see the ransom message, but as soon as it's finished I will append it to this post.

UPDATED: Here is the Ransom Message which happened rather quickly compared to past versions. The ransom note states that you have been infected with CryptoLocker and have 3 days to pay the ransom or you will lose all of your now encrypted files. It also goes on to say that you will need more than a million years time to crack the key that they used to encrypt them. In order to decrypt your machine it asks you to sontact the attacker via email at decrypt-request@mail.ua, which I'm about to do. I'll let you know what they say ;). Meanwhile stay safe, we have all of these blocked for AppRiver customers.

cryptoPIC resized 600

 

UPDATE:

Sorry this took so long, I've been having issues with this blog platform attempting to erase things as I added new things to it. Regardless, here is the return email I received from my "capteur". Also thank you MickyJ, and commentors below. I also included my feelings as to the effectiveness and possible authenticity of this particular version. It could be the original author's version, but broken, but that seems strange too because his original version worked very well. Please read below! Thanks!
Crypto5 resized 600