Recently, a new variant of the ransomware family named CryptXXX has begun circulating around the web. Fortiguard Research Lab has discovered several new variants during the life of this family of attacks. In this blog we will discuss a particular variant, which arrived in the form of an executable (.exe), as opposed to previous variants that were based around dynamic-link library (.dll) files.
The unpacked binary of this variant is smaller than its peer ransom families. However, don’t underestimate it. Its sleek executable, classic ransomware behavior, and forthright approach in binary communication is just as effective in achieving the goal of infecting a victim’s machine, and demanding payments in BitCoin, as any of its predecessors.
We recently reverse engineered this new variant in our labs. After the sample is unpacked, the disassembled code is visible. However, there are no APIs in the import table. Instead, CryptXXX enumerates all the APIs in the associated dll library, and uses a custom hashing algorithm to resolve their addresses.
Figure 1 Algorithm for Resolving APIs
This variant is a curious one for now. It calls the CPUID instruction to check if it is running in a virtual environment. However, it would still carry on as normal even if a virtual environment is detected. It simply sends the information about its environment back to the C&C when it registers itself the first time it communicates home.
Figure 2 Check Virtual Environment with CPUID
As mentioned above, this malware has a forthright approaching in communicating with its C&C using plain binary traffic. This variant uses five different commands to communicate with the C&C, and requests various information that is necessary for it to carry out its ransomware action successfully. The unique personal ID used in identifying each victim comes from the UUID of the machine GUID.
The figure below shows the hard-coded Variant ID for this particular variant. Part of the string that follows ‘U000022’ is also sent to the C&C.
Figure 3 Variant ID & BOTID String
1st C&C Command = 0x11
The first message is used to register the botnet with its C&C server. This message also contains all the information that it has collected about the victim’s machine, such as OS version, Personal ID, etc. There is no response expected from the server.
2nd C&C Command = 0x14
After registering itself, the botnet contacts the server for a ransom note in text format. A screenshot of the traffic captured is shown below. A response with the ransom text is then sent back from the server.
Figure 4, below, shows the ransom text where a string has been sent back as a placeholder container. The bot then writes the ransom note to a text file, and replaces the placeholder string with its dynamically generated Personal ID.
Figure 4 Second C&C Communication Captured
Figure 5 C&C Response from Server
3rd C&C Command = 0x15
Similar as before, it requests the ransom note in HTML format
4th C&C Command = 0x12
This command requests a public AES_256 session key from the server
5th C&C Command = 0x13
This is the last command for this variant, wherein it notifies the C&C server of the completion of file infection.
Table 1 below shows a summary of all the C&C request commands, and their format.
Table 1 Commands & Control Traffic Summary
The encryption routine enumerates all drives, starting from D:\ to Z:\, as well as the %USER_PROFILE% folder and all of its subdirectories. CryptXXX gets its public encryption key from the C&C, and use an AES_256 encryption algorithm to encrypt the files.
Figure 6 AES_256 Encryption
It then infects all files with an extension included in the hard coded extension list of 900 entries from the executable. A part of the long list is shown below.
*.3DM *.3DS *.3G2 *.3GP *.4DB *.4DL *.4MP *.A3D *.ABM *.ABS *.ABW *.ACCDB *.ACT *.ADN *.ADP *.AES *.AF2 *.AF3 *.AFT *.AFX *.AGIF *.AGP *.AHD *.AIC *.AIF *.AIM *.ALBM *.ALF *.ANI *.ANS *.APD *.APK *.APM *.APNG *.APP *.APS *.FZV *.GADGET *.GBK *.GBR *.GCDP *.GDB *.GDOC *.GED *.GEM *.GEO *.GFB *.GGR *.GIF *.GIH *.GIM *.GIO *.GLOX *.GPD *.GPG *.GPN *.GPX *.GRO *.GROB *.GRS *.GSD *.GTHR *.GTP *.GWI *.HBK *.HDB *.HDP *.HDR *.HHT *.HIS *.HPG *.HPGL *.HPI *.HPL *.HTC *.HTM *.HTML *.HWP *.I3D *.IBD *.IBOOKS *.ICN *.ICON *.IDC *.IDEA *.IDX *.IFF *.IGT *.IGX *.IHX *.IIL *.IIQ *.IMD *.INDD *.INFO *.INI *.INI0 *.INI4 *.INI8 *.INID *.INIH *.INIL *.INIP *.INIT *.INIX *.INK *.IPF *.IPX *.ITDB *.ITW *.IWI *.J2C *.J2K *.JAR *.JAS *.JAVA *.JB2 *.JBMP *.JBR *.JFIF *.JIA *.JIS *.JKS *.JNG *.JOE *.JP1 *.JP2 *.RNG *.RPD *.RPF *.RPT *.RRI *.RSB *.RSD *.RSR *.RSS *.RST *.RTD *.RTF *.RTX *.RUN *.RW2 *.RWL *.RZK *.RZN *.S2MV *.S3M *.SAF *.SAI *.SAM *.SAVE *.SBF *.SCAD *.SCC *.SCH *.SCI *.SCM *.SCT *.SCV *.SCW *.SDB *.SDF *.SDM *.SDOC *.SDW *.SEP *.SFC *.SFW *.SGM *.SIG *.SITX *.SK1 *.SK2 *.SKM *.SLA *.SLD *.SLDX *.SLK *.SLN *.SLS *.SMF *.SMIL *.SMS *.SOB *.SPA *.SPE *.SPH *.SPJ *.SPP *.SPQ *.SPR *.SQB *.SQL *.SQLITE3 *.SQLITEDB *.WP4 *.WP5 *.WP6 *.WP7 *.WPA *.WPD *.WPE *.WPG *.WPL *.WPS *.WPT *.WPW *.WRI *.WSC *.WSD *.WSF *.WSH *.WTX *.WVL *.X3D *.X3F *.XAR *.XCODEPROJ *.XDB *.XDL *.XHTM *.XHTML *.XLC *.XLD *.XLF *.XLGC *.XLM *.XLR *.XLS *.XLSB *.XLSM *.XLSX *.XLT *.XLTM *.XLTX *.XLW *.XML *.XPM *.XPS *.XWP *.XY3 *.XYP *.XYW *.YAL *.YBK *.YML *.YSP *.YUV *.Z3D *.ZABW *.ZDB *.ZDC *.ZIF *.ZIP *.ZIPX *.ZZ
For every infected file, it writes 0x20 bytes of infection signature at the beginning of the infected file, as shown in Figure 7:
Figure 7 Infection Signature
Once this is done, the ransomware notifies the user that their machine has been infected, and gives them instructions to get the files back by dropping README.txt, README.html, and README.bmp files, as well as modifying the desktop background.
Figure 8 Desktop Background After Being Infected
Last but not least, it then deletes all shadow copies to ensure that no system recovery could work.
Figure 9 Delete Shadow Copies
If the victim was to follow the ransom instructions, which explain how the user can regain access to their files, they will eventually land at the web page shown below, which supports multiple languages. Victims need to provide a personal ID to sign in.
Figure 10 Decryption Service
CryptXXX is yet another malware version to join the ransomware bandwagon. While it is unclear what its future will hold, it is an interesting development because while its complexity is minimal compared to other ransomware families, it appears to be just as effective.
Sample MD5: 7bb58c27b807d0de43de40178ca30154
Sample Sha256: eb72bef17b4f62a3cef6e36385cbdd65cf916f36b28d86b37b2990e2fc9e5330
Fortinet AV Detection Signature: W32/Filecoder_CryptProjectXXX.H!tr