TeslaCrypt appeared in February 2015, and since then, it has been spreading around faster and faster. Tesla was built on the heels of another popular piece of ransomware known as CryptoLocker.
Usually, TeslaCrypt is delivered via the Angler Exploit Toolkit, and it infects websites to deliver drive-by downloads to those unlucky enough to stumble upon these websites. However, lately a few new versions of this malware have started using botnet delivered email as a mean of delivering its payload to its victims.
Initially, TeslaCrypt targeted gamers by not only encrypting photos and documents, but also targeting saved game files and Steam activation keys. Since then this family of malware has moved on to corporate targets and now on to whomever it can find.
Nowadays the samples are various, though usually surround a campaign disguised to look as if it it was delivered by the United States Postal Service. The utilized colors and graphics of the emails to add to the stratagem. These emails offer an attachment to its victims which is supposed to be the invoice receipt of a failed delivery attempt. The file is a zipped archive which contains a simple short obfuscated javascript file that acts as the downloader. In this particular ploy, the filenames used are USPS_delivery_invoice[.]zip for the archive and within, the javascript files use the following naming convention – invoice_[random string] .js, invoice_copy_[random string] .js, or invoice_scan_[random string] .js.
After being executed, the javascript downloader reaches out to one of several websites including:
- mafiawantsyouqq[.]com
- lenovowantsyouff[.]com
- whereareyoumyfriendff[.]com
- lenovomaybenotqq[.]com
- ikstrade.co[.]kr
to pull down files such as 93[.]exe, 45[.]exe, and 26[.exe] among others utilizing the same naming convention. Some versions also reach out to make an http post command to salaeigroup[.]com.
Apart from the USPS themed attack, users can see very same javascript files attached to emails which are much more plain in appearance and vague in content. These files use a subject line which is just a date and time format and a random 4 letter file naming technique as can be seen below.
An intriguing fact about these versions is that some show an earlier received date even though they are coming in currently. This could either be by design or some of these could have been held up on their respective remote hosts until today, regardless, they remain just as dangerous and should be avoided.
In any case, users should be aware that ransomware attacks show no real sign of slowing down, though they seem to be highly effective. Due to this fact, users must be aware that ransomware is out there in its full capacity. Thus, systems should be backed up regularly, and ransoms should not be paid.
