Security researchers from Proofpoint found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit. Analyzing these findings combined with the intelligence of Frank Ruiz (Fox IT InTELL) leads to one conclusion: this project is conducted by the same group that was driving Reveton ransomware operations. Besides, the new ransomeware is closely tied to Angler/Bedep. Dubbed “CryptXXX”, and it is asking a relatively high ransom ($500 per computer) to unlock the encrypted files.
Angler is known as the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced cyber criminals with access to this vector quite significant.
On April 15 Angler EK was noticed into Bedep pass pushing both a ransomware payload and Dridex 222.
In order to alert the victim that they are infected and their files are encrypted, the ransomware creates three types of files, similar to many other types of ransomware such as Locky, Teslacrypt, and Cryptowall:
- de_crypt_readme.bmp
- de_crypt_readme.txt
- de_crypt_readme.html
The new ransomware is being shipped as a DLL dropped by Bedep in folders like those observed below in four separate infections:
- C:\Users\%Username%\AppData\Local\Temp\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
- C:\Users\%Username%\AppData\Local\Temp\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll
- C:\Users\%Username%\AppData\Local\Temp\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
- C:\Users\%Username%\AppData\Local\Temp\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll
The main advantage of this delay from a threat actor’s perspective is that the victim won’t be able to easily connect it to the infection vector (that is, to the compromised or malvertised website).
The ransomware has anti-VM and anti-analysis functions. In particular, CryptXXX:
- Checks CPU name in the Registry
- Installs a hook procedure to monitor for mouse events
Being executed, the ransomware encrypts all files and adds a .crypt extension to the filename.
This ransomware is not only encrypting files locally and on all mounted drives. It is actually stealing Bitcoins and a large range of other data. Most probably, this happens because that instance of Bedep has a long history of dropping information stealers in its update stream.
To be precise, it dropped Pony from November 2014 until mid-December 2015. Then, it replaced Pony with an undocumented “private stealer” until mid-March 2016. Considering the data from the recent analysis, the information stealing functions in this ransomware appear to be the same as in the “private stealer” distributed by this instance of Bedep.
Based on the infection vector and its history, it turns out that the new ransomware was directly connected to the Angler/Bedep team. The name of this ransomware is based on two strings found in the unpacked binary:
- Z:\CryptProjectXXX\Loader\InstDecode.pas
- Z:\CryptProjectXXX\Loader\DDetours.pas
There are many similarities between Reveton and CryptXXX:
- Delphi programming language
- Custom C&C protocol on TCP 443
- Delayed start
- DLL called with a custom entry function
- dat file dropped in %AllUsersProfile% (For CryptXXX, it looks like code reuse as the file only contains the letter x)
- Bitcoin and credential stealing functions
Having in mind the threat intelligence shared by Frank Ruiz (Fox IT InTELL) and the telltale signs revealed in the latest analysis, the connection between CryptXXX and the Reveton Team is certain. Considering their long history of successful and large-scale malware distribution, CryptXXX will become widespread soon.
