The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious Continue reading “The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai

The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”

Cerber Ransomware JavaScript Loader Goes Undetected

We have been closely monitoring Cerber ransomware since it first emerged on a Russian password-protected forum, offered as-a-service for members only.

At present, Cerber ransomware constitutes a sophisticated malware threat to organizations. (it was responsible for more than 25% of the total number of ransomware infections recorded worldwide in June 2016, according to Microsoft). Files encrypted by Cerber are currently non-decryptable.

On August 23, 2016, a member of the same closed forum where Cerber ransomware is traded posted a detailed analysis of the loader that the malware uses to install itself. According to his post, he did this after hearing that the loader is very useful and capable of installing any malware without detection. His conclusion was that the loader does not employ any extraordinary methods to install the ransomware, but its tremendous advantage of being fully undetectable by AV programs is due to the usage of several rare code functions that are difficult to emulate.

First, he posted the full obfuscated code of the loader, explaining parts of it:

  • Replacement of the Eval function, i.e. it receives a parameter that contains JavaScript code and executes it. Usually, AV programs emulate this function. Replacing the Eval function blocks this emulation.
  • Another part of the code creates a Desktop shortcut, probably also as an anti-emulator measure (the post writer comments that in his opinion AV would quickly detect it).
  • The next part of the code is obfuscated – a HEX code which is divided and deobfuscated using XOR.After deobfuscation, we can see that the code contains anti-emulation.
  • Then a random string is created and a path from %TEMP% environment obtained for it.
  • The next stage involves downloading the malicious file from an URL address and saving it in the system.
  • A parameter is added to the header to block AV bots and researchers: setRequestHeader(‘cerber’,’true’)
  • If the malicious payload was downloaded properly, it is executed.
  • Finally, the Eval alternative is launched.

Summarizing the analysis, the post author concludes that the advantages of the loader are a good implementation of the payload download and execution and errors control. The disadvantages he mentions are weak implementation of obfuscation and anti-emulation, and low level of usability functionality. He also attached an AV scanner report from August 23, showing a detection rate of 15/40.

Several days later, on August 27, 2016, the same forum member posted that he had analyzed the latest version of the loader and was surprised by the fact it is totally undetectable by AV programs. Moreover, this version is capable of installing payloads from several alternative URL addresses and it uses improved debugging. This version does not use anti-emulation at all, but employs a unique method that totally blocks the AV syntax emulation. 

Below is a description of the main techniques used by the loader to remain undetected:

  • Replacement of the Eval function (even though it is a simple technique, it is used extensively by JS packers and therefore cannot be detected by AV as malicious).
  • The part of the code that avoids emulation is an array that contains random data, with the first element being the important one. The functions Math.floor and Math.random always output only the first element in the array and AV cannot properly emulate them. Full undetectability is achieved by using these two functions.

The emulator will always output one single value and will never reach the part of the array when the right value is located. As a result, the emulator cannot perform the calculations, a critical error occurs and the AV programs are unable to identify the loader as a malicious file.

1
The message that analyzes what code feature allows the malware to avoid AV detection

The post author attached an AV scanner report showing a 0/35 detection rate (as of August 27, 2016).

2
The scan showing that the loader is not detected by AV engines

SenseCy Investigates The English-Language Underground

In 2015 we saw an active underground trading of exploits, botnets and spam tools. The number of Ransomware sales were much lower than it was expected by cyber security experts. Investigate the key trends in hacking tools commerce observed on the English-language underground in 2015 from our short Infographic.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report. https://www.sensecy.com/contact

English-language underground_2015

SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

Is There A New njRAT Out There?

The answer to this question is Yes and No (or Probably Not).

Recently, we noticed a heated debate among Arabic-speaking hackers regarding rumors about a new njRAT version, dubbed v0.8d. Some doubted the credibility of the report, cautioning that the new version was probably a fake that would infect everyone who tried to use it. They also claimed that the original njRAT programmer, njq8, had stopped updating it.

Notwithstanding, there is a tutorial with a download link that shows the features of the new version. The video was published on several YouTube accounts and some of them linked the new version to an unknown hacker called Naseer2012 (whose name is similar to njq8‘s real name). In addition, this new njRAT version has aroused interest among Portuguese-speaking hackers, raising assumptions that the njRAT v0.8d developer is actually “Ajnabi” (foreign in Arabic).

The allegedly new njRAT version piqued our curiosity, so we downloaded it from the tutorial. First, the GUI of the new version closely resembles njRAT v0.7d. In addition, our technical analysis revealed that it belongs to the njRAT malware family, based on its Imphash (hash based on portable executable imports that are the functions of the specific malware) and its network signature.

However, it does not have any unique capabilities that distinguish it from the old 0.7d version. Its capabilities, according to our technical analysis, are keylogging, remote shell, remote desktop, password recovery, registry manager, file manager, remote webcam, microphone control, download & execute and DDoS. Unlike njRAT v0.7d, this malware does not have any security features, other than change icon. It can be spread by USB.

njrat
njRAT v0.8d user interface

Notably, the fact that Naseer2012 thanks njq8 suggests it this not an official upgraded version of the njRAT malware developed by the original programmer.

njrat2
Naseer2012 thanks njq8

Since the source code of the worm version of the famous njRAT malware (Njw0rm) was leaked in May 2013, many hackers have developed new malware under different names with numerous capabilities, security features and propagation protocols. However, they all have a common behavior pattern, since they are based on the same source code. In addition, our technical analysis of different RAT malware samples that we detected during 2015 revealed that almost a dozen of them belong to the njRAT family.

So we can all relax as there is no new official njRAT version, but rather a new GUI and new technical indicators of another njRAT-based malware sample.

The following is a YARA rule based on our technical analysis:

rule njrat_08d
{
meta:
author = “SenseCy”
date = “23-12-2015”
description = “Njrat v0.8d”
sample_filetype = “exe”

strings:
$string0 = “U0VFX01BU0tfTk9aT05FQ0hFQ0tT” wide
$string1 = “netsh firewall delete allowedprogram” wide
$string2 = “netsh firewall add allowedprogram” wide
$string3 = “cmd.exe /k ping 0 & del” wide
$string4 = “&explorer /root,\”%CD%” wide
$string5 = “WScript.Shell” wide
$string6 = “Microsoft.VisualBasic.CompilerServices”
$string7 = “_CorExeMain”
$string8 = { 6d 73 63 6f 72 65 65 2e 64 6c 6c }

condition:
all of them
}

The following are technical indicators of njRAT v0.8d stub files that we created in our technical lab:

MD5: 2c7ab4b9bf505e9aa7205530d3241319
SHA1: 31112340c4f36c7153bef274f217726c75779eaf
MD5: 620c8dc42dcad7d8e72dd17ac2fa06a1
SHA1: d88907822d7d7f14347059ba0b85d9f7d50a6d7a

2015 Activity Timeline: Allegedly ISIS-Affiliated Cyber-Attacks

What are the real ISIS capabilities in the cyber domain?

Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.

One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.

Infographic_ISIS

During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.

Shell Profiles on the Russian Underground

Russian underground cyber-markets are known venues for purchasing high-quality hacking tools and services. Many such tools, popular worldwide, make their first appearances on closed Russian forums. There are two main types of sellers on these platforms: well-known members with seniority and strong reputations, who have already sold tools and received positive buyer feedback, and an emerging “shell profile” type of user. According to our recent analysis, such users typically register to a forum a few days before posting an advertisement for the tool. These new users often enlist the aid of forum administrators and more senior members, by providing them with a copy of the tool for their review, and thus gain the trust of potential buyers.

CTB-Locker

For example, CTB-Locker, a malware program, was first advertised on a Russian underground forum on June 10, 2014 by a user called Tapkin. This ransomware scans the computer for data files, encrypts them with a unique algorithm, and demands a ransom to release them. Tapkin registered on this forum on June 2, 2014, several days before posting the advertisement, and posted a total of five messages to the forum, all on the subject of CTB-Locker. Around this time, a user by the same name posted identical information on other forums.

Tapkin registered to another Russian underground forum on June 13, 2014, and three days later, he advertised the tool on the forum. This was the first and only thread that Tapkin started on this platform, and all of his posts were about this topic.

Tapkin stopped selling CTB-Locker on June 27, but on November 19, 2014, he posted another advertisement, this time for “serious” clients only. Tapkin last advertised the ransomware on a carding forum on December 8, 2014, after registering to this forum the same day.

Thus, in three cases, Tapkin registered to a forum a few days before posting an advertisement for the tool and did not participate in any other forum discussions. As a newly created profile, Tapkin lacked seniority and therefore had low credibility. However, our impression is that this user demonstrates knowledge regarding the tool, its capabilities and can answer questions regarding the technical component of the tool fluently. An analysis of Tapkin’s posts indicates that behind the shell profile is not one person, but rather a group of people who developed the tool together.

Forum comments indicating the presence of a team behind the username Tapkin
Forum comments indicating the presence of a team behind the username Tapkin

This username appears to have been created for the sole purpose of selling the ransomware, which was only advertised on Russian-speaking platforms. On May 19, 2015, a well-known forum user posted a message stating that his computer had been infected by CTB-Locker and asking for Tapkin. However, Tapkin had by then already disappeared.

Forum member post searching for Tapkin in correlation with CTB-Locker
Forum member post searching for Tapkin in correlation with CTB-Locker

Loki Bot

Another example of malware advertised by a new forum member is the Loki Bot password and coin wallet stealer. Loki Bot, written in C++, can steal passwords from browsers, FTP/SSH applications, email accounts, and poker clients. It has an option to configure C&C IP addresses or domains.

Bot-selling advertisement
Bot-selling advertisement

This bot, which works on Windows versions XP, Vista, 7, 8, and 8.1, is relatively new and is still under development. It was first advertised on a well-known Russian underground forum in early May 2015 by a new user with no reputation. A week later, a user by the same name registered on two other well-known underground forums attempted to boost his credibility by sending the forum administrator a test version of the malware. Similar to the previous example, we assume that a group of people is behind this user as well.

Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)
Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)

We can see that new users are registering on Russian underground forums for one purpose only, to sell a particular malware program, and their entire online presence is focused on this. They register to a forum a few days before posting an advertisement for the tool and do not participate in other forum discussions. Newly created profiles lack seniority and therefore have low credibility ratings. Sometimes such users attempt to improve their credibility by sending the forum administrator a test version of the malware. In some cases we can see that behind the shell profile there is a team, and not an individual. They appear suddenly and disappear just as suddenly after their business is completed.