----- ## ASEC REPORT #### VOL.88 [Q3 2017] ###### ASEC (AhnLab Security Emergency Response Center) is a global security response group consisting of malware analysts and security experts. This report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www.ahnlab.com). ###### SECURITY TREND OF Q3 2017 ###### Table of Contents ----- ----- ###### Security Issue ### Emotet Returns to Prey on Banking Information ###### On August 2017, AhnLab confirmed, via AhnLab Smart Defense (ASD), its cloud-based malware analysis system, that the malware Emotet is once again being distributed through spam botnet. First spotted in 2014, Emotet is a trojan that hijacks financial information. The newly-resurfaced Emotet features modular functions for extracting the victim’s financial transaction information, downloading the relevant module from the C&C server to perform its activities. This report examines the distribution vector and operational features of Emotet, including a detailed analysis of the malware’s primary attack patterns. Distribution and operation of Emotet Analysis by AhnLab revealed that Emotet strain propagated last quarter was carried via spam botnet as email attachments. The overall attack pattern of Emotet is as shown in Figure 1-1. ----- ① User downloads and runs Emotet via spammed email attachment ② Emotet is added to the autorun registry ③ System OS information, list of running processes, the malware’s PE CRC, computer user name and volume serial number are encrypted and sent to the C&C ④ Additional modules are downloaded from the C&C server to perform additional malicious activities ⑤ Downloaded modules are run Figure 1-1 | Attack pattern of Emotet ###### The Word document files included in the spammed email spread via botnet contains a malicious macro as shown in Figure 1-2. Figure 1-2 | Malicious macro contained in the Word file attachment of the spammed email ###### The document contains instructions such as “Macros have been disabled – Enable Content” to trick the user into running the macro. Once the user enables the macro function, an obfuscated powershell command as shown in Figure 1-3 is executed, which downloads a malicious file, Emotet loader, from an external URL and runs it. ----- ###### Key activities Once the Emotet loader is executed, the malware first registers itself as a service in Windows. ① Registered as service to enable repeat execution of the Emotet loader ② Computer name, OS information, list of running processes acquired ③ Hijackes information using Crypto API ④ Encrypts data communicated with C&C server ⑤ Data received from C&C server decrypted, and modules executed ###### User information is extracted next, and the malware communicates with the C&C server to download the modules required for additional activities. Table 1-1 lists the key activities performed by the Emotet loader. Table 1-1 | Malicious activities carried out by the Emotet loader ###### 1. Service registry The Emotet loader calls the OpenSCManagerW API to check administrative privileges for installing and enumerating services. If the loader successfully obtains admin privilege, a routine for registering the Emotet loader as a service is executed, and a copy is dropped into the path %Windir%\System32. Figure 1-4 | Calling OpenSCManagerW to check admin rights ###### The 0x40884A code as shown in Figure 1-4 reveals that the value assigned to DS:[40B2A4] is determined by the result of the OpenSCManagerW API call. The value per byte in the DS:[40B2A4] of the 0x4088EC code in Figure 1-5 defines the destination of the self-duplicate of Emotet loader. ----- ###### The location where the Emotet loader places a copy of itself is determined by whether admi nistrative privileges have been successfully obtained; the paths are as shown in Table 1-2. |Privilege secured|%Windir%\System32| |---|---| |Privilege not secured|%Appdata%\Local\Microsoft\Windows| Table 1-2 | Self-duplicated locations for the Emotet loader ###### The loader choses two random keywords from the list of keywords for service and file creation as shown in Table 1-3 to determine the file name of its copy. agent,app,audio,bio,bits,cache,card,cart,cert,com,crypt,dcom,defrag,device,dhcp,dns,event,evt,flt,gdi,group,help,home,host,info,iso,laun ch,log,logon,lookup,man,math,mgmt,msi,ncb,net,nv,nvidia,proc,prop,prov,provider,reg,rpc,screen,search,sec,server,service,shed,shedul e,spec,srv,storage,svc,sys,system,task,time,video,view,win,window,wlan,wmi Table 1-3 | Key words used to create the service and file ###### The selected keywords are combined into name of the self-duplicated file and service. Figure 1-6 | Configuring the service description ###### After service creation, the Emotet loader calls the ChangeServiceConfig2W API as shown in Figure 1-6 to change the service description. The API copies a random description from an ----- ###### existing service to change the description of the new service. 2. User data collection After completing the service creation process, the Emotet loader begins gathering user information. The loader extracts system OS version, computer name, volume serial number, list of processes, and running PE CRC information. Then the hijacked information is transmitted to the C&C server after the encryption. The extraction of user information such as OS data and PE CRC32 were observed as shown in Figure 1-7. Figure 1-7 | Hijacked user and system information ###### 3. Data encryption via Crypt API Emotet loader encrypts the collected user information, using either a custom encryption or the Crypt API. In case of the latter, the file contains the RSA public key as shown in Figure 1-8, which is used to encrypt the random AES-128 symmetric key called by the CryptGenKey API. Figure 1-8 | Codes for extracting the RSA public key and generating the AES-128 random key ----- ###### As shown in Figure 1-9, Emotet loader file contains the RSA public key stored by the attacker; the key decoded by the CryptDecodeObjectEx API is shown in Figure 1-10. Figure 1-10 | The key decoded by RSA public key ###### Finally, the Emotet loader uses the CryptEncrypt API for AES-128 CBC mode encryption and generates hash values for the data. The AES-128 key value used in the encryption is extracted by the CryptExportKey API and copied to memory. Figure 1-11 | Data encryption process ----- ###### 4. Encrypted data sent to the C&C server When the data encryption process is fully complete, the Emotet loader uses POST to transfer the encrypted data to the C&C server, as shown in Figure 1-12. Figure 1-12 | POST data transfer A notable feature is that the C&C server re ###### turns a 404 error value to the client in response as shown in Figure 1-13, which in fact contains additional encrypted malicious modules. Figure 1-13 | POST transfer and 404 error ###### While the C&C server was blocked during the time of this investigation preventing a verification of the nature of this malicious module, the actual size of the response value sent to the client under normal circumstances is known to exceed 0x1c000. 5. Encrypted data received from C&C server decoded and executed While acquiring the malicious modules from the blocked C&C server proved to be unavailable, static analysis of the loader revealed the nature of the malicious activities performed by the additional modules. As shown in Figure 1-14, the Emotet loader performs data decoding after receiving a response value from the C&C server and executes a file presumed to be the newly downloaded module. ----- ###### Finally, with the execution of the additional modules on the infected system, a module is injected into the current Web browser and activated to hijack user information. ###### The list of additional malicious modules downloaded from the C&C server are shown - Network distribution module - Spammed email module - Browser-injected financial data hijack module Table 1-4 | Additional modules downloaded from the C&C server ###### in Table 1-4. The relevant alias of the Emotet malware identified by V3 products, AhnLab’s anti-virus pro gram, is as below: • Trojan/Win32.Emotet (2017.09.20.00) ----- ----- ###### Threat Review ### Q3 2017 Ransomware Trends ###### The relentless assault by ransomware continued during the third quarter of this year. A large number of Locky variants appeared, in addition to an increasing variety of ransomware including RaaS (Ransomware as a Service). This report presents the ransomware trends of the third quarter 2017. 1. Locky Variants Another hail of Locky variants dropped during the third quarter 2017. Although these variants used different types of email attachment or encrypted file extensions, the ransom note generated after the encryption process revealed their family ties to Locky. Lukitus Sporting the extension .lukitus for its encrypted files, Lukitus is a strain of Locky that uses a Windows Script Host error message to lure users. Propagated via spammed emails, this ransomware uses enticing titles such as “Voice message attached” or “Pictures” to invite clicking. The actual payload, however, is a compressed file written in JavaScript (JS) which downloads and runs the ransomware. ----- ###### By clicking the attachment, the JS file exe cutes Windows Script Host. However, an error message is displayed on the screen as shown in Figure 2-2 to confuse the user into thinking Figure 2-2 | Fake error message that an error has occurred. ###### While the user may think an error has occurred due to the popup message in Figure 2-2, wscript.exe is executed in background as seen in Figure 2-3. Figure 2-3 | wscript.exe executed ###### When executed, Lukitus shows a ransom note as shown in Figure 2-4, identical to that of existing Locky ransomware. Ykcol Yet another Locky variant named Ykcol sur Figure 2-4 | The ransom note displayed by Lukitus, identical to Locky’s ----- ###### faced in mid-September. This ransomware assigns the extension .ykcol to encrypted files, which is Locky spelled backwards. The ransomware is distributed by spammed emails bearing the subject “Status of Invoice”. Similar to Locky attaching a .7zip compress ed file in emails, this variant also uses an attachment compressed as .7zip or .7z to evade mailing filters. Uncompressing the file contained in the email will generate a VBS (Visual Basic Script) file. Figure 2-5 | Spammed email containing a .7z file Running the VBS file will initiate downloading ###### of the actual ransomware file from a URL hardcoded in the file. The downloaded ransomware encrypts the files in the user’s PC and changes their extensions to .ykcol as shown in Figure 2-6. Figure 2-6 | Files given .ykcol extensions after encryption ###### Like Lukitus, Ykcol also displays the identical ransom note as Locky. ----- ###### 2. CryptoMix variants CryptoMix is another ransomware with a stable of variants as extensive as Locky. CryptoMix was discovered in May of 2016 and became famous for its extensive list of variants. CryptoShield 1.0 and 2.0, Revenge, Mole and Wallet are all classified as CryptoMix variants, and additional strains were discovered in July. Azer Spotted on July 5, Azer was written in Visual C++. Once the user’s system is infected, the ransomware duplicates itself to the Application Data folder and runs. Azer modifies the registry to include itself in the system’s startup programs, to ensure that the encryption process is not interrupted if the PC is shut off or rebooted. Azer adds the extension .azer to encrypted files as shown in Figure 2-8. ----- ###### The .txt ransom note created in the folder containing the encrypted files includes the infected PC’s unique ID and two email addresses for sending the request to release the files as shown in Figure 2-9. One is the address used in the file name, while the other presumably is intended as a refer to the current U.S. president. Figure 2-9 | Azer’s ransom note and instructions for recovery ###### Exte Discovered on July 14, Exte is another CryptoMix variant written in Visual C++, and is thus almost identical with the aforementioned Azer in duplicating itself and modifying the registry. Exte adds the extension .EXTE to encrypted files. ----- ###### Unlike Azer, the ransom note created by Exte in the encrypted file folder provides three email addresses from different domains including “exte” in the name. Furthermore, unlike Azer that beings the infected PC’s unique ID with “You ID”, Exte uses the heading “Decrypt-ID”. Figure 2-11 | Exte’s ransom note with instructions for file recovery ###### 3. Ransomware-as-a-Service (Raas) Ransomware-as-a-Service (RaaS) or ransom ware developed and managed by third parties for a price, began to appear in 2016. The ransomware Shifr, discovered in the third quarter of this year, is one of these RaaS. The attackers require only a simple set of information such as bitcoin address, Figure 2-12 | Potential attackers need only to fill out three fields to request a ransomware ----- ###### the ransom amount and a captcha check; while other fabricators ask for a bitcoin address, email, and desired amount of ransom to be demanded and the file extension to be used. This enables anyone to handily order up Shifr ransomware. The provider for the Shifr service demands a 10% cut of the profits, a relative bargain for the attacker compared to the average rate of half the profits by other providers. These features may lead more attackers to turn to Shifr. Figure 2-13 | Shifr’s RaaS ###### Files encrypted by Shifr are given the extension .shifr, as shown in Figure 2-14. Figure 2-14 | Files encrypted by .shifr ###### Shifr encrypts document files and pictures, commonly found in all systems, but leaves compressed files untouched. ----- ###### Once the encryption of the files in a system infected by Shifr is completed, a ransom note file is created on the desktop, as shown in Figure 2-15. This is a unique feature of Shifr, as most ransomware create a ransom note in Figure 2-15 | Ransom note dropped on the desktop each folder containing encrypted files. ###### The ransom note created by Shifr and placed on the desktop only contains a simple message “Your files have been encrypted” as shown in Figure 2-16, and a link for instructions on how to decrypt the files. The note is very simple, compared with those of other ransomware that include detailed instructions on ransom payment and file recovery. Figure 2-16 | Shifr’s minimalist ransom note ###### 4. Ransomware flavored with social engin eering Shade, a ransomware that disguises itself as a scanned document sent by an all-in-one printer, surfaced in late July. This ransomware appears to be designed to target users in corporate environments that often encounter Figure 2-17 | Shade ransomware disguised as an emailed scanned document ----- ###### scanned documents as part of their daily routines. The ransomware uses a password-protected document file in an advanced attack pattern that sets itself apart from the competition. As shown in Figure 2-17, Shade disguises itself as an email sent by a printer after scanning a file. The ransomware uses an official-looking “noreply” email address to try to assuage the recipient’s suspicions. Opening the Word document file contained in the email produces a popup message asking for the file’s password. Most Word files distributed via spammed email messages do not include passwords. The example above, however, uses a password to lock the document and includes the password in the email message to try to avoid detection. Entering the password contained in the email body runs the macro embedded in the Word file. The macro connects to a particular URL to Figure 2-18 | Downloaded malware ###### download and run the malware. ###### Shade creates a batch file when run, which is used to delete the volume shadow copy containing the Windows system restore point, the remote desktop access history and Windows event records. The ransomware then proceeds with the encryption and alters the file extensions. Most files are targeted for attack, from DOC, PPT, XLS, TXT and other documents to EXE and ZIP files. Once the encryption is complete, the ransomware deletes itself to erase its footprints. ----- ###### It has become widely known that ransomware is distributed as attachments in spammed emails. However, using a password-locked file may buy time for the malicious code to exploit weaknesses. Shade appears to be the latest in such attempts to employ increasingly-advanced attack patterns. ----- -----