In our previous blog post our AVG Web Threats Research group analyzed a Blackhole exploit kit serving the fake FBI Ransomware. Today we will have a look at the ransomware itself.
Here is a typical ransom malware payload once it’s active on infected computer:
- User’s desktop is locked with a full-screen information displayed
- Task manager and Registry editor is disabled
- System hot keys are disabled to avoid the Trojan’s termination
This is a screenshot from a system infected by fake FBI Ransomware; the criminals ask for 100 pounds to unlock the infected system:
1. Once the Blackhole exploit is executed on a particular website, a malicious DLL file is downloaded and executed
2. The downloaded DLL file is protected by a custom private packer. After unpacking, the DLL file is written in Delphi, and has two export functions FQ10 and FQ11.
3. It’s loaded by rundll32.exe several times; the injection and running environment checks make the DLL hard to track.
4. A DLL auto startup item is created: Ctfmon.lnk file is dropped to startup folder.
5. Change the Internet Explorer features (following registry values are changed to 0):
6. Change the Internet Explorer features (following registry values are changed to 3):
7. Disable Internet Explorer features (following registry values are changed to 1):
8. Injection process: Find the target process IEXPLORE.EXE using the following registry value to get the path of the browser:
9. Create the IEXPLORE.EXE process, and then allocate memory in IEXPLORE.EXE. Using the function CreateRemoteThread load the malicious DLL again. Let’s have a look at the parameters of the function CreateRemoteThread:
10. The remote thread’s lpStartAddress parameter is the address of the LoadLibraryA function (path of the malicious DLL). The following screenshot shows malicious file “info.exe” being already injected into our target process:
11. Create a thread to monitor the Task manager process. If it’s running, “WM_CLOSE” message is sent to its window to close the Task manager.
12. Using “WSASend” and “WSARecv” functions the Trojan connects to 126.96.36.199 IP address on port 80 or 443. Servers information:
Company: Global Layer B.V.
Name: Jelle Maes
Street: Piet Paaltjensplein 62
City: 3027TZ Rotterdam
13. The data received from this server is saved to the following file:
C:\Documents and Settings\All Users\Application Data\ofni.pad
14. Desktop lock: When the “ofni.pad” download is complete, the DLL is started again executing the second export function “FQ11”.
The third member of the “_STARTUPINFO” structure is a Desktop name. When creating this process, the new desktop name is set to value o0zde:
15. The exported function FQ11 will decode the “ofni.pad” and save it as file “1fni.pad”. This file is the content of the new desktop. Then SwitchDesktop function is called to switch desktop to newly created “o0zde”. Because there is no restore operation, the desktop will never be reverted back to previous state.
This malware is detected by AVG as Trojan horse Ransomer variant.
AVG Viruslab Research Group