TeslaCrypt, like many of its ransomware cousins, doesn’t sleep on past success. Researchers at Endgame Inc., have found two updates for the cryptoransomware in the past two weeks that invest heavily in obfuscation and evasion techniques, and also target a host of new file extensions.
These samples, researcher Amanda Rousseau told Threatpost, were found in attachments of large-scale spam campaigns purporting to be shipping delivery notifications.
Version 4.1A has been in circulation for about a week, Rousseau said, and targets a wide range of the usual file extensions, plus a handful of news ones that merit notice: .7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet. The use of spam to move TeslaCrypt is also a departure from recent outbreaks where exploit kits were infecting WordPress and Joomla websites and silently loading ransomware onto compromised machines.
In this case, when the victim executes the infected .zip file attachment, a JavaScript downloader is launched which uses Wscript, the Windows Script Host, to download the TeslaCrypt binary from greetingsyoungqq[.]com/80.exe.
Rousseau said, adding that analysis of the malware has become a challenge because it initiates many code threads and debugging techniques to frustrate security tools.
“It’s really like they are trying hard to hide strings in memory,” Rousseau said. “It’s much harder for [antivirus] to detect if it’s not scanning memory.
The use of Wscript complicates detection as well because the traffic appears to be legitimate Windows communication. Rousseau said that it took detection tools as many as four days to catch up to the technique and incorporate into signatures. She added that the command and control servers hosting TeslaCrypt have a finite shelf life before the attackers take them down and move them.
The malware also uses COM object (component object model objects) to hide string extractions, and deletes zone identifiers, in the name of evasion. It also and tries to prevent ongoing monitoring by terminating a handful of Windows processes: Task Manager; Registry Editor; SysInternals Process Explorer; System Configuration; and Command Shell. The malware also makes a copy of itself to the disk and creates a registry value that points to the copy in order to maintain persistence.
Endgame has published a report with complete technical details, including more on the encryption used by the ransomware and its anti-debugging techniques.
Rousseau said that these TeslaCrypt samples also snake through network shares the compromised computer has access to and tries to encrypt files on those shares. It also targets backup files by trying to delete the Volume Shadow Copy, a Windows backup service.
If there are silver linings with the latest TeslaCrypt updates is that the malware uses AES 256 to encrypt files, not RSA 4096 as mentioned in the ransom note, and that there is a recovery file that accompanies the malware.
“We went through the encryption algorithm, and it’s pretty on point, but it does leave a recovery file on the system,” Rousseau said. “If you use the old TeslaCrypt cracker and do an update on that code based on [what was found], you should be able to decrypt.” About a year ago, Cisco introduced a command-line utility that was capable to decrypting files lost to TeslaCrypt.
Rousseau also said that the gang behind these most recent samples is borrowing a lot of code from older versions, in particular its use of COM objects and certain debugging techniques.
“You can tell there are following researchers closely, watching [decryptor] code that’s released on Github and open source,” Rousseau said, pointing to the rapid changes in the past month starting with 4.0 to 4.1A in the last week or week and a half. “There are slight tweaks to each version and from each cracker that comes out. They take the best of what was good a couple of months ago, and apply it to today.”