, , , , ,

Google script being abused for Cryptocurrency fraud

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File


Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro


When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL


After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion


Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user's Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message


To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.


Fig: News, Settings, Chat & History


It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.


Fig: Collect BTC Bonuses


After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining


Once the progress bar reaches 100% it shows collected BTC and a get paid button.


Fig: BTC collection


After clicking get paid it asks for the user’s personal details along with account/card details.


Fig: User's details


After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.


Fig: BTCPay


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.



Indicators of Compromise (IOC):


, , , , , ,

A look at TeamTNT's latest variant being actively used in the wild

The SonicWall Capture Labs threat research team analyzed the latest cryptomining and infostealing Trojan from a well-known malware group called TeamTNT. They are known to target vulnerable *nix systems and would deploy cryptominer and a myriad of other tools for reconnaissance and infostealing.

Infection Cycle:

The sample comes as a bash script. To establish a clean slate, upon execution it calls a function that will find, kill and remove all running cryptomining services.

Also while getting rid of cryptominers, it adds another bash script as a lock file which when executed will echo and read "Forbidden Action!!! TeamTNT is watching you."

It then sets up its own cryptominer by downloading and installing XMrig, an open source Monero miner.

Upon setup and execution of the cryptominer, a TeamTNT-branded greeting is shown.

It then runs another function called makesshaxx to set up SSH key which then allows TeamTNT to securely access the victim machine over an unsecured network.

It then deploys an open source rootkit called Diamorphine which it uses to hide itself.

It begins as a base64 encoded tar file.

Which is then decoded, decompressed, built and installed.

And then finally executed by running the command "insmod diamorphine.ko"

It also locks up the system and ensures full control by deleting cronjobs and locking cron.

It also redirects standard output and errors to null when the victim tries to shutdown or reboot the system.

And finally it has a function that uses another open source tool called, punk.py which is an SSH post-exploitation tool that is used to collect usernames, ssh keys and known hosts from a unix system, then tries to connect via ssh to all the combinations found.

The python script is hidden as a base64 encoded value.

But once decoded reveals the punk.py tool.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , , , , ,

Cryptojackers target servers running Alibaba Cloud

This week the Sonicwall Capture Labs Research team analyzed malware samples that appear to be targeting one of the popular cloud computing platforms, Alibaba Cloud (Aliyun). Alibaba Cloud might not be the first name that comes to mind when you think of cloud computing service providers. However, it is the 4th largest cloud provider globally behind Amazon Web Services, Microsoft Azure and Google Cloud, thus a very appealing target to cybercriminals. The end goal of this malware is to use the victim machine for mining cryptocurrencies.

Infection cycle:

The malware arrives as a bash script. Upon execution it disables Alibaba cloud monitoring agents and cloud assistant service. These services allow for monitoring resources and applications and set alarms for difference scenarios. Disabling these services lets the malware execute without possibly notifying the owner of the victim machine when certain metrics or rules have been triggered.

It then proceeds to disable other processes and cryptomining services that can compete with the CPU resources. These commands are within a function named “kill_miner_proc().”

TeamTNT and Kinsing are two of the top threat groups dominating the cryptojacking arena by infiltrating vulnerable servers for the purpose of running cryptominers.  This malware has a special function named “fuckyou()” specifically targeting processes and other files known to be used by the aforementioned cybercriminal groups effectively disabling them if present in the infected system. This establishes a clean slate for when this malware finally runs its cryptominer.

It then proceeds to download XMRig miner and executes it.

To maintain persistence it deletes the current cronjob and adds the miner process and a copy of itself into cron.

And the entire infection cycle continues.

It is unlikely that the owner of a compromised server will notice the issue right away. Unlike with ransomware, where the victim is made aware of the infection so the cybercriminal can collect its dues, attacks such as this can quietly run in the background, silently profit without demanding a ransom and persist for a long period of time.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , , ,

AtomSilo hits large Brazilian company in $1M double extortion scheme

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes.  The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company.  The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees.  A $500,000 ransom is offered for 48 hours.  After this, the ransom is increased to $1M in Bitcoin.  Failure to pay will result in the sensitive data being released to the public.


Infection Cycle:


Upon infection of the ransomware component, files on the system are encrypted.  Each encrypted file is given a ".ATOMSILO" file extension.

After encryption, the following message is brought up on the infected machine's desktop:


The following files are dropped on to the system:

  • README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)


The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:


The "LIST LEAK" button shows a company that is in the process of being extorted by the operators:


The "GO TO POST" button brings up a page that shows a summary of the data that has been obtained by the attackers:


This page is very long and contains samples of the sensitive data that has been obtained:


The leak also includes company financial data and employee contact information:


We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:



SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.



, , ,

Fake Zoom App installs a Cryptominer

With stay-at-home orders implemented in several states and cities in the country in an effort to slow the spread of the novel coronavirus, internet data usage has spiked with more people being online and confined to their homes. More people have been shopping for groceries online, making virtual doctor’s office visits, kids connecting to their online education portals, people working remotely and having virtual meetings or connecting with friends and relatives via online chat. The Sonicwall Capture Labs threat research team has analyzed several different coronavirus-related malicious online schemes since more people are connecting online from home with typically more relaxed security measures and cybercriminals are certainly taking advantage.

One videoconferencing software has gained so much popularity lately that cybercriminals have seen that as a perfect vector for their malicious activity. Zoom has become so popular that it is one of the most downloaded software applications. A malicious installer bundled with a crypto currency miner has been making the rounds online preying on unsuspecting users wanting to install this videoconferencing program.

Infection Cycle:

The Trojan uses the Zoom icon and comes as an Autoit compiled installer.

Upon execution it drops a legitimate Zoom installer and a cryptominer in the following directories:

  • %Temp%\Zoominstaller.exe (legitimate installer)
  • %Appdata%\Roaming\Microsot\Windows\helper.exe (cryptominer)

It will then execute the legitimate Zoom installer and a window will pop up to prompt the user of the program installation.

Meanwhile it adds the helper.exe as a ‘System Check’ scheduled task and then executes it.

Upon execution of helper.exe,  it creates a 'Tor' directory within %Appdata%\Roaming\Microsot\Windows\ folder and drops components of a Tor client.

It executes the Tor client by running "tor.exe" to setup the proxy environment using its own config.

It then spawns attrib.exe (a legitimate windows system file) and uses it as a mining client and begin mining through the local Tor proxy using the following command:

Once a mining session has ended, the Tor directory gets deleted and will just be recreated on the subsequent run, thus leaving very little evidence of infection.

We urge our users to only use official and reputable websites as their source of software installer. Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Autoit.OLS_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions


, , , ,

Fake windows update serves a fake Windows Media Player with a side of cryptominer

This week, the SonicWall Capture Labs Threat Research Team came across another cryptominer that pretends to be a media player and even loads a wav file to hide its real intent.

Infection Cycle:

This Trojan comes in an archive file that purports to be a Windows Update component. Within the archive file are the following files:

  • mstcss.exe
  • config.json
  • song.wav

The executable file mstcss.exe uses the following file properties pretending to be Windows Media Player.

Upon execution it loads the wav file which plays an instrumental music.

Then it reads the config.json file which has the settings for mining cryptocurrency.

It creates a log file in the following directory:

  • \Program Files\Windows Update\log.dat

The Trojan then proceeds to connect to the mining server.

Activities are then logged in to the log.dat file and may look like this:

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: XMRig.MP (Trojan)
  • GAV: Miner.XM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , , ,

Steam – Rust Trainer, DGA & Miner Found


SonicWall Capture Labs Threat Research Team, recently found a unique Domain Generation Algorithm (DGA) inside a uniquely named file called "Rust Trainer.exe" the sample goes along with the Steam, PC Game called "(RUST)". The file is deceptively named for use in cheating and creating hacks for the online multiplayer game. However, once executed the file only starts the infection. Injection starts in "svchost.exe", after injection the sample will start creating domains on the fly. The domain generation algorithm involved in this sample will generate 172 Million Domains. The sample has the ability to look for and install new Coin Mining Software along with an array of other abilities.

Objective of the game:

The only aim in Rust is to survive.

To do this you will need to overcome struggles such as hunger, thirst and cold. Build a fire. Build a shelter. Kill animals for meat. Protect yourself from other players, and kill them for meat. Create alliances with other players and form a town.

Do whatever it takes to survive.

The developers describe the content like this:

This Game may contain content not appropriate for all ages, or may not be appropriate for viewing at work: Nudity or Sexual Content, Frequent Violence or Gore, General Mature Content

Sample Static Information:

Anti-Debugging Techniques Used:

Process Checking - This sample will locate many different processes used in the reverse engineering process. If one of the items is found, it will terminate and delete that process. Along with remove all files associated with that process.

Anti-Debug Cluster - This cluster of Anti-Debugging tricks is absurd. However, it works quite well. To bypass it you will need to have the proper plugins and edit a few areas of the process execution to bypass it. Once bypassed, you can enter into the DGA starting routine.

Standard XOR, TLS Encryption & Decryption:

TLS functions are used inside the Cryptor to decrypt the first quarter of the PE Binary. Once decrypted it will check the associated program directory for a file named "old_filename.exe" If the file is found the Cryptor will go to stage 2 and decrypt the rest of the file. A trick that can be used here would be to put a break point on "CreateProcessA" then follow inside a second debugger for the stage 2 decryption. Once you reach stage 2 you can start analysis of the malware.

OEP Byte Structure:
C1 78 15 37 91 21 A1 B0 94 F0 98 21

1st decryption:
55 89 E5 C6 05 D0 51 41 00 01 68 D0

2nd decryption:
55 89 E5 53 B8 10 33 45 00 50 E8 51

Understanding the DGA:

Domain generation algorithms are seen in various families of malware. They normally generate large numbers of domain names. Usually, only a handful of domains or one domain are active at a time. This connect back feature allows connections back to their command and control server and/or bot master themselves. Here we see (www.) being added to the random domain generated from the mersenne twister pseudo-random number generator described below and after its generation it adds (.com) to it's string completing the domain name generation:

Domain Character Generation:

Our character arrays length is: 0x3Eh or 62d, the first element is not indexed and it's only use is for the length of the array.
The mersenne twister algorithms output will be used as an index into this character array.

Pseudo Random Number Generator Information:

Generating good random numbers in software is a complex topic. Software-based random number generators can never generate truly random numbers and are therefore called pseudo-random number generators because they rely on mathematical formulas to give the impression of randomness. The pseudo-random generator in this file is known and called by the Mersenne Twister algorithm. This algorithm has been around since 1997. The implementation of the pseudo-random number generator (PRNG)MT19937, is called the Mersenne Twister it was given it's name because it has a period of 2^19937 - 1, which is a Mersenne Prime number. Also, it's the size in bits of the Twister's engine internal state.

Range Distribution, is from 0x00 to 0x3E:

Mersenne Twister Initialization:

Mersenne Twister Twist Function:

Seed Generation:

You need to initialize the random number generator above. This is also called seeding the random number generator. Most default applications of seeding use the current system time as a seed. This file uses "GetTickCount" which is defined as: (Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This function will also wrap around back to zero after 49.7 days have past and start the counting again up to 49.7 days).

You need to make sure that you use a good quality seed for your software-based random number generator. If you initialize the random number generator with the same seed every time, you will create the same sequence of random numbers every time. This is why the seed is usually the current system time. The malware author wants unique random numbers.

Get Seed:

Domains Generated By Algorithm Above:

Using the (n choose r algorithm) to figure out all combinations of indexes into the character array we get a total of 107,518,933,731 index combinations or possible domain names. However, if we divide that by 625 we get the amount of seed values possible from the use of (mersenne twister algorithm and GetTickCount) which is a total of 172,030,293.97. About 172 million possible seed values. Meaning, the algorithm above can only generate one domain name per seed value. That would be 172 million total domains possible if my math is correct. A quick 50 domains are below:


Coin Mining:

Other Related Strings:

Process Injection:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Rust.DGA
, , , ,

Exim email servers are still under attack

Exim remote command execution vulnerability has been exploited in the wild since June. This week, Security researchers have observed that Exim vulnerability (CVE-2019-10149) is being exploited to install a new Watchbog Linux malware variant.  After successful exploitation, Watchbog will download and execute cryptocurrency miner payload on the compromised servers.  As per Shodan search from today, there are over 1.5 million unpatched Exim servers that are vulnerable to this attack. SonicWall Capture Labs Threat Research team continues to observe attempts to exploit this vulnerability.

Exim is a mail transfer agent (MTA) used on Unix-like operating systems. It contains implementations of SMTP server for incoming messages as well ,as a SMTP ( Simple Mail Transfer Protocol) or LMTP ( Local Mail Transfer Protocol ) client for outgoing emails.
SMTP is a connection-oriented, text-based protocol in which a mail sender communicates with a mail receiver by issuing command strings and supplying necessary data over a Transmission Control Protocol (TCP) connection. An SMTP session consists of commands originated by an SMTP client (the initiating agent) and corresponding responses from the SMTP server (the listening agent) so that the session is opened, and session parameters are exchanged.

An SMTP transaction consists of the follwing three command/reply sequences:

1. MAIL command, to identify the sender, to establish the return address or bounce-address.
2. RCPT command, to establish a recipient of the message. This command can be issued multiple times, one for each recipient.
3. DATA command, to give the mail data and finally the end of mail data indicator confirming the transaction.

SMTP Mail Transaction:


A command injection vulnerability has been reported in Exim. This is due to insufficient sanitization of recipient email addresses, whether the recipient is local or remote. In the vulnerable versions, local part of the receipt address is sent as input to the expand_string() method without enough validation. A remote attacker can exploit this vulnerability by attempting to send an email to a crafted recipient on the target server. Successful exploitation results in the execution of arbitrary commands as the root user.


Fig: Snapshot of the code snippet 

Local Exploitation:
The utility expand_string() in the above shown code recognizes the "${run{<command> <args>}}" specified as input, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to "${run{...}}@localhost" and execute arbitrary commands, as root.


Remote Exploitation (Non-default configuration):
The above exploitation method doesn't work remotely as the Exim's default configuration requires the local part of the recipient's address (the part that precedes the @ sign) to be the name of a local user when requests come from the remote server.
But in various non-default configurations this vulnerability can be exploited remotely say If the "verify = recipient" ACL that checks the local part of the recipient's address to be the name of a local user was removed manually by an administrator or If Exim was configured to recognize special tags like "+" in the recipient's address then a remote attacker can simply use the local exploitation method i.e RCPT TO "local_user+${run{...}}@localhost" instead of local_user@localhost.


Remote Exploitation (Default Configuration):
Another elaborate way specified in the vulnerability report that allows remote exploitation in the Exim's default configuration. If the attacker can set up a malicious email server on a domain they control and place the malicious string expansion in the local portion of the sender's address and send a message with a valid recipient but crafted to bounce back to the attacker controlled email server. In order to make the outgoing message from Exim server fail i.e to set RECIP_FAIL_TIMEOUT, the attacker controlled server can very slowly send a long SMTP response over a 7 day period and finally send a response such as a 550 error to cause the outgoing message to be "frozen" by Exim. On the next scheduled queue run, Exim will then attempt to deliver the bounce message once again but because the message is older than the default permitted age for frozen messages, process_recipients is set to RECIP_FAIL_TIMEOUT, and the malicious string specified in the sender address is then expanded by the expand_string() utility and executed as root.

Trend Chart:

The below graph shows how this vulnerability has been actively exploited.
   Fig: IPS hits for the sig ID 14240 in the last 40 days
Majority of the exploit attempts come from the IP address "".  Exim users have also reported online that they have been hacked by this attacker. This attacker is still actively looking for vulnerable Exim servers.


Exim version 4.87 to 4.91 is vulnerable by default. This vulnerability is fixed in version 4.92.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14240 Exim deliver_message Remote Command Execution 1
IPS: 14241 Exim deliver_message Remote Command Execution 2
IPS: 14242 Exim deliver_message Remote Command Execution 3
IPS: 14243 Exim deliver_message Remote Command Execution 4

, , , ,

Cryptomining trojan targeting Linux platforms seen in the wild

This week, the Sonicwall Capture Labs team came across another cryptominer that targets the Linux platform. This Trojan arrives armed with functionalities to ensure successful infection including using rootkit and known Linux exploits.

Infection Cycle

This Trojan comes as a bash file with over 800 lines of codes. Its main function is to mine cryptocurrency using the Stratum mining protocol and cryptonight algorithm on pools such as supportxmr.com, minexmr.com, poolin.com, dwarfpool.com, nanopool.com and f2pool.com. To gain root access and basically full control of the victim machine it uses BRootkit, leverages a vulnerability -  CVE-2016-5195 and uses BillGates Linux malware.

The script consists of the following sub functions:

  • BasicInit – to check connectivity, ping the remote host (auth.to0ls.com or 90.140.35) and check the platform type by checking the "issue" file to identify whether it is CentOS, Ubuntu or Debian.
  • RunInBack – to get root access it will download another component that uses a known exploit called Dirty Cow (CVE-2016-5195) – a privilege escalation vulnerability in the Linux kernel.
  • WorkProc – main mining function
  • Dandelion – it tries to infect other systems by looking at
  • Scavenger – it kills services and uninstalls the following: safedog, aegis, yunsuo, clamd, Avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.
  • SetStartup – downloads the nohup utility if not present and add itself as a local daemon in
  • Rootkit – it downloads and runs a rootkit called BRootkit (available here) whose functionalities include getting root access, hiding processes, directories and network connections among many others.
  • GetRootAccess - more functionalities to get root access using DirtyCow exploit
  • Checkupdate – check for the most current version on the remote host
  • Guard – Downloads another known linux Trojan called BillGates. It uses its functionality “CleartheGates” opening ports and services and nearly taking full control over the infected system.

This malware author clearly took the time to guarantee persistence and successful infection.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.LNX (Trojan)
  • GAV: Billgates.ELF (Trojan)
  • GAV: CVE-2016-5195.DC (Exploit)
  • GAV: BRootkit.LNX (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , , , , ,

JPMorgan Chase NYSE: JPM, Paymentech, BitCoin Ransomware


SonicWall Capture Labs Threat Research Team, recently found the VirLock, JPMorgan Chase Paymentech, BitCoin Ransomware active and floating around in 2019. VirLock, sometimes known as VirLocker or VirRansom is also known as metamorphic ransomware. The malware automatically reproduces its code base each time it propagates or is distributed to other active nodes on the network. Techniques used inside this malware include; Function reordering, Program flow modification, Varying lengths of NOP instructions, Useless instructions, Varying aspects of left and right shifting, OR-ing, and XOR-ing. It also uses a non-standard x86 intel instruction called RDTSC - Read Time-Stamp Counter for it's pseudo-random value generator. VirLock, is considered both a Screen Locker and File Infector. Ransomware is usually either one or the other.

This is what makes VirLock special. It will add an infection stub and copy of itself to each file on your hard drive. This stub will get executed each time you double click on a new file. Meaning, you will always be infected with this malware. The only thing you can do is back up your files and have a recovery specialist retrieve your files for you. Then reinstall your Operating System on a new hard drive.

The payment processing used in this malware is called Paymentech. Paymentech is apart of the merchant services industry their product is based on the Payment Processing Services for small and large businesses to process payments, including credit cards, debit cards, alternative payments such as gift cards, and mobile payments. Paymentech is also known as (Merchant Services | Chase.com) with over $1 trillion in annual processing volume.

The following pictures describes the newer generation VirLock Ransomware. Once the infection is finished initializing and installing itself to multiple areas on your machine. It will show you the window labeled (Payment Tab). Within this window you will notice six tabs at the bottom. They are labeled, (Payment, BitCoin Information, BitCoin Exchanges, BitCoin ATMs, Internet Browser, and Notepad).

Payment Tab:

BitCoin Information Tab:

BitCoin Exchanges Tab:

BitCoin ATMs Tab:

Internet Browser Tab:

The normal IE from Microsoft will display when you click this tab.

Notepad Tab:

The normal notepad.exe from Microsoft will display once you click this tab.

Sample Static Information:

Many basic file attributes of the VirLock first stage can be seen in the following picture below:

Unpacking The Sample:

Using RDG, we can check if the sample is packed, protected, or encrypted. The entropy pie chart will give us a value between 0 and 8. The closer to 8 the value is. The more its considered 100% encrypted:

Using a well known PEiD plugin called KANAL we can check for crypto signatures. Being that the sample has an entropy of 7.62 we probably wont see anything in KANAL.:

Loading the sample into IDA Pro, we see the following:

The picture also shows you where in the PE File things are located. We can see by the picture the starting routine is located almost at the end of the file. This means our metamorphic stub starts at the end of the file.

We can see from the picture above, that the sample is packed by a custom crypter of some sort. We can gain more knowledge about what is going on with a few simple text searches in IDA Pro for strings like (xor, rol, ror) within IDA PRO:

our xor search

our ror search

our rol search

The search I like to do the most during the starting routine is searching for the word "call"

We will have to start our dynamic analysis here with x86 dbg, windbg, ollydbg, or Immunity. All metamorphic and even polymorphic code stubs inside the beginning of a crypter have a "call" or "jmp" of some sort to redirect the code to the actual native code of the malware. When the code jumps or calls this area. The code can be considered decrypted at this point. Sometimes we call this area the OEP within some malware. With metamorphic code this area will be chopped up with useless instructions and random junk with the main native code. This is what makes analysis of a metamorphic malware sample hard and time consuming.

After decrypting the starting routine. You will see the following algorithm

The Anti-Debug part of this algorithm is highlighted in red below. Most new reverse engineers will get stuck in this loop without understanding the assembly code.

Once you get past the Anti-Debugging and the first Key check. You will start to see the "New Key Generator Stage":

This is how you know you are on the correct track. While going down the rabbit hole.

First Metamorphic Decryption Set:

Once you do make it down the correct control path. You will reach the decryptor.

The decryptor will then decrypt the following metamorphic stub. This stub will be the next malware code to execute. Once You've found the decryptor and encryptor code stubs along with the pseudo-random value generator. You are basically to the point now, where you can follow the malwares code base 100% the rest of the way. It will take a very long time stepping through the code and a lot of problems and virtual machine snapshot resets to get this far. Just keep with it and you will get there.

Second Metamorphic Decryption Set:

This is the second decryption routine you will run into after the one above

This is what the second encrypted malware routine looks like. The top line has started to decrypt:

This is what the second decrypted malware routine looks like:

Third Metamorphic Decryption Set:

The third set will decrypt a large portion of the file about 3,466 bytes. I cannot show all of the decryption as its insanely long. However, I can show you the decryption routine of the third set and the following encrypted and decrypted bytes:

The encrypted bytes, having the first line decrypted again.

This is the decryption of the third set.

Fourth Metamorphic Decryption Set:

The fourth decryption algorithm will show us the shellcode they use finally.

What the Encrypted shellcode bytes look like:

Now we are finally to the shellcode that actually does something. We finally made it. To code that actually does something useful.

Once you get this far its time to reverse engineer the shellcode. This should help you get started.

It's nice to see progress from encrypted code to decrypted code while you're working in any debugger. It just further illustrates you are on the correct path. I've added the above unpacking procedure to show the readers it's very time consuming to do this unpacking procedure. However, this is what you need to do to each file that has been infected. This is why it's recommended to have a security professional to locate all the decryption keys for each file that has been infected. I've heard this part is automated now on a few different websites that are laying around online. Who knows if they actually work. Please read the summary below about what to do in case you are infected with this malware.


A collection of notes for the avid security researchers.

As always there is so much more to this malware that just isn't covered in this blog. This blog would be 100 pages long if we hit every aspect of this malware.

Supported Systems:

The sample was tested and debugged on (x86) - 32 Bit, Windows 7 Professional.


If you are infected with this malware. Make a backup of the files you would like to keep. There are ways to decrypt the files from this ransomware. However, the process will be long and time consuming. After saving your files. You should think about getting a new hard drive to reinstall your OS too. Do not use the old hard drive. File Infector ransomware is probably considered the worst of any type of malware you could possible get infected with.

SonicWall, Gateway Anti-Virus (GAV), provides protection against this threat:

GAV: Virlock.E