FortiGuard Labs Threat Research
Fortinet FortiGuard Labs has come across a ransomware that only accepts Monero – an open source cryptocurrency created in 2014 – for payment, signaling a shift away from the widely used and accepted standard Bitcoin in the ransomware space. Ransomware authors are aware of current trends and events, and appear to be taking advantage of all the hype surrounding the cryptocurrency craze.
This latest ransomware not only asks for payment via Monero, but also pretends to be a cryptocurrency-related password store. The malware masquerades as a “spritecoin” wallet, asking the user to create their desired password, but does not actually download the block-chain, but it does secretly encrypt the victim’s data files. It then demands a ransom in Monero cryptocurrency in return for decrypting the victim’s data. The file (also seen in the wild as spritecoind[.]exe) is UPX packed for simple evasion. It displays the typical ransom note of “Your files are encrypted,” and asks for a sum of 0.3 Monero – which is equivalent to $105 USD at the time of writing.
During our analysis, we have seen indicators that the sample appears to have an embedded SQLite engine. This leads us to believe it is using SQLite to store harvested credentials. The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with an .encrypted file extension (eg: resume.doc.encrypted).
Adding insult to injury, during the decryption phase another piece of malware is deployed with capabilities including certificate harvesting, image parsing, and web camera activation.
Below is a quick kill-chain analysis of the SpriteCoin Ransomware threat.
Delivery: We have heard unconfirmed reports and believe that this attack is being spread via forum spam, targeting users interested in cryptocurrency. During our perusal for Spritecoin – we came across what appears to be the homepage for SpriteCoin pagebin[.]com/xxqZ8VES:
In this case, the threat arrives as a "SpriteCoin" package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet. A quick Google search reveals no documentation on SpriteCoin – which leads us to believe that it is not really a true Cryptocurrency, but is one that was created for this specific attack.
Exploitation: Often, exploitation is user-initiated resulting from succumbing to social engineering techniques. The allure of quick wealth through crypto-currency seems to be enough to trick unsuspecting users to rush toward the wallet app du jour without consideration.
Installation: Once the threat runs, it presents a user with a prompt to “Enter your desired wallet password.”
Once that step it is complete, the threat then states that it is downloading the blockchain, when it is actually running its encryption routine.
During our analysis, we observed that the file would not run in its current state without a particular patch in place. Our test environment was a Windows XP SP3 machine, but due to a missing _snprintf_s function from msvcrt.dll the malware would not run. But it began once we patched our system to _snprintf.
On initial execution, the malware copies itself to %APPDATA%\MoneroPayAgent.exe, and relaunches the new copy. It also modifies the registry key:
“HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoneroPay %APPDATA%\MoneroPayAgent.exe”
On a window XP3 machine, appdata can be located in "\documents and settings\user\application data\"
Command and Control: Monero Ransomware does not make a connection to a command and control server in the traditional sense, What it does is make a connection to a TOR site via an Onion proxy. (http://jmqapf3nflatei35[.]onion.link/*). This proxy allows the victim to communicate with the attacker’s website without the need for a TOR connection. This assures two things – 1. That the attacker is kept anonymous by hiding behind a TOR domain, and 2. It acts as a failsafe between victim (who may not know what TOR is or may not want to be bothered by it) and the attacker to ensure higher success rates.
Actions on Objectives: As expected, the ransomware will begin to encrypt specific files with the following extension(s): c .txt .py .doc .rtf .cpp .cc .go .tcl .html .ppt .docx .xls .xlsx .pptx .key .pem .psd .mkv .mp4 .ogv .zip .jpg .jpeg .work .pyw .h .hpp .cgi .pl .rar .lua .img .iso .webm .jar .java .class .one .htm .js .css .vbs .7z .eps .psf .png .apk .ps1 .gz .wallet.dat .id_rsa., adding the extention “.encrypted” to any affected files.
In addition, the user’s Chrome and Firefox credential stores are raided and transmitted via POST to the remote website. (http://jmqapf3nflatei35[.]onion[.]link/*)
Once the user’s files have been encrypted (or when the user attempts to access an encrypted file) the ransom note is generated and displayed in a browser window informing the victim and offering decryption for a ransom fee.
In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr. While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.
The following AV signatures are in place for this new Monero Ransomware:
Also, all of the network IOCs have been blacklisted in the web-filtering database.
In addition to the above malware signatures, we strongly encourage organizations to prepare for ransomware attacks by developing a solid backup and recovery plan. Do not rely on shadow volume backups alone, as some ransomware variants delete them. Malware authors have done their homework to ensure a higher success rates. They understand that most people don’t back up their systems regularly, but if someone should perform a shadow volume or similar backup, they have logic built into the malware to defeat it. Instead, a simple offline back up of important files will save a lot of time and frustration. Best practices require being vigilant about backing up files, and performing them on a regular basis. Then store the backup offline on a separate device, and even in multiple places to ensure redundancy.
Since user interaction is needed for this malware to work, it is important to establish a formal security training program and try to deliver it at least once a quarter to personnel. The training should be creative to keep the users’ attention, include new subjects that cover key elements of the security program, and encourage user feedback and participation. User rewards programs are especially effective for recognizing employees for their attention to security. To read more about protecting yourself against ransomware, please visit our blog posting “10 Steps to Protecting Yourself From Ransomware.”
And always, ensure that your FortiGuard definitions are up to date.
Below are some of the Indicators of Compromise (IOC) which can be used (if you don’t have our FortiGuard Services) to detect and block the threat. Many of these IOCs can also be used to hunt for this specific threat.
Network Indictors of Compromise:
hxxp://jmqapf3nflatei35[.]onion[.]link/log?id=%s - Initial ransom connection (TOR PROXY)
hxxp://jmqapf3nflatei35[.]onion[.]link/paid?id=%s - Ransom payment URL
hxxp://jmqapf3nflatei35[.]onion[.]link/static/win - Secondary component download
hxxp://jmqapf3nflatei35[.]onion - TOR-proper URL
System Indicators of Compromise:
ababb37a65af7c8bde0167df101812ca96275c8bc367ee194c61ef3715228ddc – Initial Sample
3e06ef992519c02f43b10cc9bfa671e5176e2cef5fab2f3d21b1e7fc17438e7d – Alternative Sample
80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b – Secondary Sample
%APPDATA%\MoneroPayAgent.exe – Installation Path
%TEMP%\19204ur2907ut982gi3hoje9sfa.exe – Installation path of Filename of Secondary Sample
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoneroPay %APPDATA%\MoneroPayAgent.exe - Registry Entry for Survivability
.encrypted – Encrypted object filename suffix
You can read important takeaways about the threat landscape in our full Global Threat Landscape Report. Also, view our video (above) summarizing valuable data points from our most recent report.