Cyren : Companion Ransomware — 2-for-1 Malware Distribution

As reported in February, Cerber and other ransomware groups are now offering Ransomware-as-a-Service, giving affiliates/partners a percentage of the collected ransom.

In a new sort of 'two-for-one' malware deal, Cyren has detected variants of the Kovter click-fraud malware being distributed with 'companion' Cerber ransomware by the Kovter malware team. Once the recipient has unknowingly activated the downloader, both pieces of malware are installed and activated. After encrypting files on the victim's machine, the companion ransomware will announce its presence - and the victim will immediately be aware of the existence of that specific malware on their computer.

However, the click-fraud Kovter malware is designed to operate silently, and definitively does not announce its presence. Which leaves us to speculate as to why a malware distributor would take the chance of their malware being discovered due to the 'noisy' companion Cerber ransomware, for which we have three general theories which are not mutually exclusive:

1. Cerber encrypts document or image type files in the system, leaving the victim with almost nothing to work on. This might induce the victim to leave the system idle, the ideal environment for the click-fraud malware to get to work.
2. Once Kovter has been installed, it becomes file-less and is not easy to detect, since most of its components are encrypted and stored in the registry. Therefore if the victim removes Cerber and restores their files, they may inadvertently leave Kovter installed anyway.
3. If the user pays the ransom, then the Kovter team gets earnings from the ransomware - and per the above will likely continue running a system that has Kovter installed.

Fake Delivery Failure Notifications

Delivery failure notifications are the most commonly used themes in the malware distribution, as shown below.

Table 1: Delivery failure notification emails

Downloader Script

The first thing we notice about the attachments is that they are both ZIP file attachment named Delivery-Details.zip, aside from the size which is coincidentally both 666bytes. The ZIP file contains a folder with a javascript, using the same name as the ZIP file, which Cyren heuristically detects as JS/Downldr.HX2!Eldorado.

Figure 1: Attachment file/folder structure

Inspecting the content of Delivery-Details.js, shows a really small code which iterates over a list of URLs, where it tries to download and execute another set of scripts. Further research reveals the group behind these malware outbreaks are taking extra precautions and are using multiple, possibly short-lived, servers to hide their activities.

Figure 2: Downloader Script

Running the script in a script emulator shows the following sequence of events:

Figure 3: Emulation sequence of events

At lines 8-12, we can see that JS/Downldr.HX2!Eldorado was able to download script payload from one of the five URL's in its list, upon download it immediately executes the script payload using Eval.

The downloaded script payload appears to be obfuscated using string concatenation, which forms another downloader script using a similar list of URL's , from where it attempts to download and execute two EXE files. These files are usually downloaded from the same server as iterated in its URL list.

Figure 4: Downloaded script payload

Executable Payloads

The first executable, exe1.exe, yet another variant of the Cerber Ransomware, which Cyren detects as W32/Cerber.MX. The ransomware searches for and encrypts files in the affected system, leaving behind ransom notes in the encrypted folders and changes the desktop wallpaper as shown in Figure 5.

Figure 5: Cerber ransom notes

The second executable, exe2.exe, disguised as the media player WinAmp, is a variant of Kovter, a malware family known to have evolved drastically over the years. This Kovter variant is heuristically detected by Cyren as W32/Kovter.T.gen!Eldorado.

Figure 6: W32/Kovter disguised as WinAmp

Similar to the known variants of this malware, it also employs file-less persistence in the system by hiding its components in the system registry, and also taking advantage of Windows Power Shell to load and execute its core module into memory. Since Windows Power Shell is a key component in its persistence mechanism, it will first check if Windows Power Shell is installed in the system, and (if not) will download and silently install the legitimate Windows patch installers for this Windows component.

Once the malware has put everything in place to persist in the system, it proceeds to gather system information, and it sends this out to its control server at either hxxp://185.117.72.90/upload.php or hxxp://185.117.72.90/upload2.php. It uses a configuration file, which is encrypted and stored in the malware binary RCDATA resource. This configuration file contains a lot of the information needed by Kovter to run its malicious routines, including the download and control server links used during its initial routines.

Figure 7: Decrypted Kovter config file

This malware collects and sends out quite a lot of system information, including the following:

• Virtualization
  • VirtualBox
  • VirtualPC
  • QEmu
  • VMWare
• Sandboxing
  • JoeBox
  • Sunbelt (CWS)
  • iDefense SysAnalyzer
• Monitoring Tools
• Network Analysis Tools
  • WireShark
  • Fiddler
  • HTTPAnalyzer
  • Charles
• Anti-malware

Being an Adware Click Fraud Trojan as it is, the malware then proceeds to silently visit websites, triggering clicks on advertisements by injecting Javascript code that automatically plays document element tags, as shown in the figure below.

Figure 8: Kovter adclick-fraud scripts

Other References