Download CTB-Locker - Knowledge Center

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts
no text concepts found
Transcript 
McAfee Labs Threat Advisory
CTB-Locker
February 9, 2015
McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent
malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to
mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.
To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and
Threat Reports” at the following URL: https://sns.snssecure.mcafee.com/content/signup_login.
Summary
CTB-Locker is a ransomware that on execution encrypts certain file types present in the user’s system. The
compromised user has to pay the attacker a ransom to get the files decrypted.
McAfee detects this threat under the following detection name[s]:





BackDoor-FCKQ
Downloader-FAMV
Injector-FMZ
Downloader-CTB
Ransom-CTB
Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:





Infection and Propagation Vectors
Mitigation
Characteristics and Symptoms
Restart Mechanism
McAfee Foundstone Services
Infection and Propagation Vectors
The malware is being propagated via spam emails that come with an attachment in the form of a .zip file. The .zip
file is layered inside another .zip file, which contains the downloader for CTB-Locker.
The spam emails may appear similar to the following:
The spam messages are mostly targeting banks and financial institutions, even though infections can occur
anywhere due to the methods used in propagation.
The attachments in the spam emails are .zip files, some of which may be named as one of the following:
 malformed.zip
 plenitude.zip
 inquires.zip
 simoniac.zip
 faltboat.zip
 incurably.zip
 payloads.zip
 dessiatine.zip
The attachments might come double zipped with SCR attachments as well.
The subjects used in spam campaign may be named as one of the following:








[Fax server] +07909 546940
copy from +07540040842
Message H4H2LC68B7167E4F4
New incoming fax message, S8F8E423F9285C5
Incoming fax from +07843-982843
[Fax server]:+07725-855368
Fax ZC9257943991110
New fax message from +07862-678057
Coverage for the above-mentioned detection names is available from the production DAT 7687.
Mitigation
Mitigating the threat at multiple levels such as file, registry, and URL could be achieved at various layers of McAfee
products. Browse the product guidelines available here (click Knowledge Center, and select Product
Documentation from the Content Source list) to mitigate the threats based on the behavior described below in the
“Characteristics and symptoms” section.
Refer the following Knowledge Base articles to configure Access Protection rules in VirusScan Enterprise:


KB81095 - How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console
KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x
Additional End User Recommendations




Do NOT open .zip attachments unless specifically requested from the sender. View the email header
or send a separate email to validate the sender before opening attachments.
End users should back up business data to the organization’s shared folders. Data residing on user
devices may be permanently lost in the event of a ransomware infection.
Do NOT click embedded hyperlinks in email. Although the CTB-Locker ransomware threat is normally
sent as an attached .zip file, ransomware has been downloaded from opening malicious websites.
Report suspect email to the organization’s Security Operations Center. Remind your employees how
and where to submit suspicious email safely.
Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there
are no other legitimate uses.
Disclaimer: This option is dangerous and needs to be tested before deployment because it can block legitimate
installers, but it is effective against an infection scenario.
Under “Common Standard Protection” in the Access Protection Properties in VSE, enable the Rule to “Prevent
common programs from running files from the Temp folder” as shown below.
HIPS
To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329.
To create an application blocking rules policies to prevent the binary from running, refer to KB71794.
To create an application blocking rules policies that prevents a specific executable from hooking any other
executable, refer to KB71794.
To block attacks from a specific IP address through McAfee Nitrosecurity IPS, refer to KB74650.
Disclaimer: Use of *.* in an access protection rule would prevent all types of files from running and being
accessed from that specific location. If specifying a process path under Processes to Include, the use of wildcards
for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.
Users of the following products may want to check if GTI is enabled to block the IP addresses being used to send
spam:





SaaS
Email and Web Security 5.6
Email Gateway (7.x or later) 7.5
Email Gateway (7.x or later) 7.0
GroupShield for Microsoft Exchange 7.0.x
Desktop users need to enable the Outlook plugin and also install the Site Advisor browser plugin to detect the
spam attachment before it is opened and block access to the malicious domains.
Characteristics and Symptoms
Description
CTB-Locker belongs to a family of malware that encrypts the compromised user’s files available in the system and
demands the user to pay a ransom amount to retrieve the files. CTB is an acronym for Curve Tor Bitcoin. Curve
refers to the fact that the malware uses Elliptical Curve Encryption, which the author claims is the equivalent of
RSA-encryption with a 3072 bit key.
On execution, CTB-Locker usually copies itself into the %temp% folder with a random name (7 characters), such as,

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fzjujkn.exe
CTB-Locker injects malicious code into svchost.exe and the injected code will in turn execute the dropped file from
%temp% location.
The malware then creates a scheduled task(< random 7 characters >.job) to execute the above mentioned dropped
binary at system startup, for example:

C:\WINDOWS\Tasks\cderkbm.job
It also creates a random named mutex to ensure that only one instance of malware is running at a time.
This injected code, in svchost.exe, will then encrypt the files with following extensions:

.pdf

.xls

.ppt

.txt

.py

.wb2

.jpg

.odb

.dbf

.md

.js

.pl , etc.
After the files have been encrypted successfully by the malware, a pop-up window will appear on the screen, with
the countdown time of 96 hours to get the files decrypted back and some other details as shown below:
.
On clicking view button, the infected user can see the list of files that have been encrypted and other details about
how to make payment and get the decrypted files back.
The spam campaign is now targeting more countries than earlier as shown in the image above. France, Austria,
and Spain being the latest addition to the target countries.
Some IPs administrators need to block:






maisondessources.com (213.186.33.19)
pleiade.asso.fr (213.186.33.19)
scolapedia.org (213.186.33.19)
breteau-photographe.com (213.186.33.150)
voigt-its.de (188.93.8.7)
jbmsystem.fr (213.186.33.3)
It also connects to hardcoded remote host to download other malware, for example:




hxxps://ourtrainingacademy.com/LeadingRE/sancho.tar.gz
hxxps://thomasottogalli.com/webtest/sancho.tar.gz
hxxps://cds-chartreuse.fr/locales/sancho.tar.gz
hxxps://m-a-metatre.fr/media/sancho.tar.gz
Restart Mechanism
The following scheduled task could enable the Trojan to execute every time when Windows starts:

C:\WINDOWS\Tasks\<7 random characters>.job
Getting Help from the McAfee Foundstone Services team
This document is intended to provide a summary of current intelligence and best practices to ensure the highest
level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of
strategic and technical consulting services that can further help to ensure you identify security risk and build
effective solutions to remediate security vulnerabilities.
You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx
This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described; they are subject to change without notice.
Copyright 2014 McAfee, Inc. All rights reserved.
Related documents
Ben Hermalin`s JEL Review
Ben Hermalin`s JEL Review
tg5
tg5
ORTHODONTIC QUESTIONNAIRE AND ACQUAINTANCE FORM
ORTHODONTIC QUESTIONNAIRE AND ACQUAINTANCE FORM
Introduction to Access PowerPoint
Introduction to Access PowerPoint
Order Form - Abc Check Printing
Order Form - Abc Check Printing
McAfee Database Activity Monitoring 5.1.1 Release Notes About this release
McAfee Database Activity Monitoring 5.1.1 Release Notes About this release
worthless check information sheet
worthless check information sheet
McGill University 845 Sherbrooke Street West Montreal, Quebec
McGill University 845 Sherbrooke Street West Montreal, Quebec
Marketing Form - Citizens Bank
Marketing Form - Citizens Bank
the Presentation
the Presentation
Patient Intake Form Esposito
Patient Intake Form Esposito
Intrusion Prevention System (IPS)
Intrusion Prevention System (IPS)
GRACE MOORE APPLICATION FORM
GRACE MOORE APPLICATION FORM
Endpoint Security 10.x Administration Course Description
Endpoint Security 10.x Administration Course Description
Performance Optimizer 2.0.0 Product Guide
Performance Optimizer 2.0.0 Product Guide
What is McAfee DLP ( PDFDrive )
What is McAfee DLP ( PDFDrive )