New German Ransomware
Dell SonicWALL Threats Research team discovered a new German Ransomware Trojan being spammed in the wild. The spammed e-mail contains a fake premium membership order confirmation at a partner agency and informs the user to open the attachment for elite account cancellation policy details. The attachment contains the new Ransomware Trojan. A sample e-mail message looks like below:
Translated e-mail: (Credit: Google Translate)
Subject: Your partner agency order (UserName) No. 809119652
Thank you for your trust (UserName)
You have just ordered www.Meinestadt.ch at the partner agency, the premium membership. The amount of 557.19 EUR is amortized over the next days of your account. The move made ??by Lugyment AG.
You are now ready for the next 6 months premium member and can use the full size premium options.Please refrain from using the contract information of the supplement, it also contains the invoice data and elite service benefits. If you no longer want the Elite membership, please email the withdrawal, with the attached in the Appendix, attached cancellation policy.
(UserName), we wish you good luck!
Sincerely, Mary Moeller
The attached zip file contains the new Ransomware Trojan with an icon disguised as a MS-DOS shortcut file:
If the user opens the file, it will perform following activity on the victim's machine:
- It drops multiple copies of itself as:
- (Application Data)(Random foldername)(Random alphanumeric 20 characters).exe
- (Windows System)(Random alphanumeric 20 characters).exe
- Creates a new instance of system program ctfmon.exe and injects it with the malicious code.
- It modifies the windows registry to ensure that the dropped copies get executed on system reboot and also disables some system tools:
- HKU(USERID)SoftwareMicrosoftWindowsCurrentVersionRun 8A54A84: "(Application Data)Jvreanqxgf16E41E5F08A54A8497CF.exe"
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "C:WINDOWSsystem32userinit.exe ,C:WINDOWSsystem32D268837808A54A8476D4.exe,"
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegedit: 0x00000001
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr: 0x00000001
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsconfig.exeDebugger: "P9KDMF.EXE"
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsregedit.exeDebugger: "P9KDMF.EXE"
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionstaskmgr.exeDebugger: "P9KDMF.EXE"
- Disables the Windows Safe Mode by deleting the relevant registry keys.
- It communicates with a remote server hosted in Beijing, China to register the infection and receive further instructions. The communication data between the malware and control server is encrypted. Below are some of the requests that we saw in our analysis:
- Complete list of control server URLs that we found in the code analysis:
- Complete list of commands that the server can send based on our code analysis:
- The first GET request causes the control server to return a Microsoft CAB file containing images that will be displayed by the Ransomware when it locks the system:
- The second GET request fetches the Ransomware message in German from the control server.
Translated Message (Credit: Google Translate)
Ladies and Gentlemen,
apparently the update program has been completely disrupted. Now the virus can only be removed manually. This you need to use your files to. So if you need the locked data, please send us 200 euros Ukash code to the email: firstname.lastname@example.org so soon, this code has been tested, you will receive an update program. If you need your data, we strongly advise you to reformat your computer to completely remove the virus. Ukash can be purchased at any gas station and in several Internet cafes in your area.
mfG Your Security Team
- The Ransomware will lock the system with the following image once it receives the LOCK command from the control server asking the user to pay 200 euros:
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Ransom.GA (Trojan)