Brazilian cybercriminals are expanding their tactics and have recently adopted ransomware as a new means of attack, Kaspersky Lab reveals.

Security researchers from the Moscow-based security firm have analyzed a new variant of the Brazilian-made ransomware "Xpan" Trojan (Trojan-Ransom.Win32.Xpan). The malware has been used by the “TeamXRat” group, also identified as “CorporacaoXRat” (the Portuguese equivalent of “CorporationXRat”) to target local companies and hospitals. The ransomware’s signature is extension “.___xratteamLucked,” which is appended to encrypted files.

While Xpan isn’t the first ransomware to come out of Brazil – TorLocker and HiddenTear copycats were seen in local attacks – it packs code improvements that reveal increased interest in this type of malware. The threat is developed by an organized gang that uses targeted attacks via Remote Desktop Protocol (RDP) to infect systems, Kaspersky says.

When executed, the ransomware checks the system’s default language, sets a registry key, obtains the computer name from the registry, and deletes any Proxy settings defined in the system. During execution, Xpan logs all actions to the console, but clears it when the process is completed. It then informs victims that their files were encrypted using a RSA 2048-bit encryption.

Unlike the previous ransomware used by the TeamXRat group, Xpan doesn’t use persistence, has switched from Tiny Encryption Algorithm to AES-256, and encrypts all files on the system, except for .exe and .dll files, and those that include blacklisted substrings in the path. The malware, Kaspersky says, uses the implementation of cryptographic algorithms provided by MS CryptoAPI.

The security researchers have identified two versions of the Trojan, based on their extensions and the different encryption techniques. The first version uses the “___xratteamLucked” (3 ‘_’ symbols) extension and generates a single 255-symbol password for all files, while the second one uses the “____xratteamLucked” (4 ‘_’ symbols) extension and generates a new 255-symbol password for each file.

Before encryption, the ransomware attempts to stop popular database services, and deletes itself when the process has been completed. After encryption, the Trojan modifies the registry so that, when the victim double-clicks on a file with the extension “.____xratteamLucked,” the ransom note is displayed using msg.exe (a standard Windows utility).

The TeamXRat attacks are performed manually by hacking servers via RDP brute force and installing the ransomware on them. After gaining  access to a server, the attackers disable the installed anti-virus product and begin installing their malware.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” Kaspersky researchers explain.

RDP vulnerabilities are also exploited for remote code execution when an attacker sends a specially crafted sequence of packets to a targeted system. Servers that haven’t been patched are extremely valuable to cybercriminals, as the reports on the xDedic server marketplace revealed.

“Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal,” Kaspersky notes.

The good news when it comes to the Xpan ransomware is that Kaspersky managed to break the malware’s encryption, allowing for free file decryption. In fact, the researchers already helped a hospital in Brazil to recover from an Xpan attack. The security researchers expect new ransomware variants to come from the same threat actor.

Related: Apocalypse Ransomware Leverages RDP for Infection

Related: Shade Ransomware Updated With Backdoor Capabilities


view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.

The malware, detected by the security firm as Mal/Miner-C, leverages infected computers to mine Monero (XMR), an open source privacy-focused cryptocurrency which, unlike Bitcoin, can still be mined using regular computers. The threat is written in NSIS (Nullsoft Scriptable Install System), a scripting language used for creating Windows installers.

These types of Trojans are not unheard of. Last month, antivirus company Dr. Web reported spotting a Go-based Monero miner designed to target Linux systems.

What makes Mal/Miner-C interesting is the fact that it abuses FTP servers in an effort to spread to as many computers as possible. Some instances of the malware include a component, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of usernames and passwords.

If it establishes a successful connection to an FTP service, the malware copies itself to that server and modifies the .html and .php files stored on it. The targeted web files are injected with code that generates an iframe referencing the malware. When users visit these infected webpages, they are presented with a “save file” dialog that serves the malicious files. If victims download and open these files, their systems will become infected with Mal/Miner-C.

Sophos identified over 1.7 million individual infections in the first half of 2016, but these instances only corresponded to 3,150 unique IP addresses. That is because the malware copies itself to every folder on an infected FTP server.

An Internet scan has showed that there are over 200,000 active FTP servers around the world that allow anonymous remote access, and more than 7,200 of them are not properly configured and have write access enabled. Of these, roughly 5,100 have already been infected with Mal/Miner-C.

While the malware has targeted various types of FTP servers, researchers noticed one particular device that is particularly susceptible to abuse. By default, Seagate’s Central NAS product provides a public folder that cannot be deleted or deactivated. If remote access is enabled on the device, attackers can easily plant the malware files in hopes that they will be executed by users once they are discovered.

While Mal/Miner-C cannot directly run on Seagate Central, the NAS device can be highly useful for spreading the malware, and Sophos believes that most of these systems have already been infected.

After analyzing the wallets used by the cybercriminals to store their profits, researchers determined that they received a total of roughly 58,000 XMR from the MoneroPool mining pool they used. The infected machines had calculated 431,000 hashes per second, which accounted for half of the total pool.

When Attila Marosi, senior threat researcher at Sophos, wrote the report on Mal/Miner-C, Monero was worth less than $ 2, which meant cybercriminals had earned roughly $ 86,000. However, the value of Monero spiked this month after a popular dark web marketplace called AlphaBay integrated the cryptocurrency. One unit of the digital currency is currently worth more than $ 13, which means that the profit made by the cybercriminals is significantly higher.

Related: Go-Based Linux Trojan Used for Cryptocurrency Mining

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed