SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Ransomware purports to be from National Security Bureau (Dec 12, 2014)



Description


The Dell Sonicwall Threats Research team has recieved reports of a relatively new Ransomware Trojan that tries to extort money from its victims. It does not encrypt files as with Ransomware such as CryptLocker or Cryptowall but it does infect various file types found on the system such as image files.

Infection Cycle:

The Trojan uses the following icon:

The executable is obfuscated in an attempt to deter reverse engineering:

The Trojan contacts google.com to verify internet connectivity:

The Trojan makes the following DNS query:

      google.com

The Trojan adds the following files to the filesystem:

  • %ALLUSERSPROFILE%\zaQUUoEg\ nEckMYsg.exe [Detected as GAV: Obfus.3_2 (Trojan)]
  • %ALLUSERSPROFILE%\zaQUUoEg\ nEckMYsg.inf
  • %USERPROFILE%\HuEwIQME\hmgAEcws.exe [Detected as GAV: Virut.CM (Trojan)]
  • %USERPROFILE%\HuEwIQME\hmgAEcws.inf
  • %USERPROFILE%\Local Settings\Temp\file.vbs

file.vbs contains the following data:

      WScript.Sleep(50)

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hmgAEcws.exe "%USERPROFILE%\HuEwIQME\hmgAEcws.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nEckMYsg.exe "%ALLUSERSPROFILE%\zaQUUoEg nEckMYsg.exe"
The Trojan communicates with a remote C&C server using encrypted traffic:

The Trojan then locks the system by displaying the following fake warning:

The warning states that pirated software has been found on the system. It purports that the message is from the National Security Bureau and states that 0.652 in Bitcoins should be transfered to a specified address (198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv) after which the computer will be unlocked "within 4.5 working days". It also threatens that a warrant for arrest will be issued with a penalty of up to 5 years in prison if the sum is not paid. The message is ofcourse false and is a campaign designed to extort money from unfortunate victims.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Crypted.A_21 (Trojan)
  • GAV: Obfus.3_2 (Trojan)
  • GAV: Virut.CM (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW01