Find the best information and most relevant links on all topics related to feedsportal.com.
Find the best information and most relevant links on all topics related to feedsportal.com.
While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop protocol) connections, criminals are manually installing the ransomware and encrypting any files which can be found on the system.
Interestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to keep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing number of incident reports. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.
“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many Brazilian users are eager to see in their desktops.
The ransomware author left a message for Kaspersky in other versions and has done the same in this one, with traces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware family.
NMoreira, XPan, TeamXRat, different names but same author.
Even though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught our attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked executable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny breadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.
A brief religious reference found in this XPan variant.
Secondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer sold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old computers with limited power.
This is what cybercriminals think of your encrypted computer: just a toy they can control.
“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the environment in which is XPan is executing is not playing fair and the execution is quite buggy.
Lastly, we have the ransomware note demanding the victim to send an email to the account ‘email@example.com’. Considering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty straightforward naming convention for the criminals’ campaigns.
The rescue note in Portuguese.
Upon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used to be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating back to the 31st of October 2016.
The only difference between the two is the configuration block which contains the following information:
- list of target file extensions;
- ransom notes;
- commands to execute before and after encryption;
- the public RSA key of the criminals.
The decrypted configuration block of Xpan that uses the extension “.one”.
The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S will be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of the encrypted file.
According to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.
The victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school, demonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are victims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware family or when it was created.
This time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of “.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm implementation. It allowed us to break encryption as with the previously described Xpan version.
We successfully helped a driving school and a dentist clinic to recover their files for free and as usual we encourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in decryption.
Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their own language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.MD5 reference
dd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)
54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension: “.__AiraCropEncrypted!”)
Umělá inteligence je sice v plenkách, už teď ale přestáváme rozumět, jak vlastně funguje. To je problém
Russian hacker Roman Seleznev was sentenced to 27 years in prison today. He was convicted of causing more than $169 million in damage by hacking into point-of-sale computers.
Seleznev, aka "Track2," would hack into computers belonging to both small businesses and large financial institutions, according to prosecutors. He was arrested in the Maldives in 2014 with a laptop that had more than 1.7 million credit card numbers. After an August 2016 trial, Seleznev was convicted on 38 counts, including wire fraud, intentional damage to a protected computer, and aggravated identity theft.
The sentence is quite close to the 30 years that the government asked for. Prosecutors said Seleznev deserved the harsh sentence because he was "a pioneer" who helped grow the market for stolen credit card data and because he "became one of the most revered point-of-sale hackers in the criminal underworld."
Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.
DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.
Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China.
FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included "spear-phishing" e-mails carrying attachments loaded with malware along with "watering hole" attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.
FireEye claims to have found evidence that the attacks were staged by two groups connected to the Chinese military. One, dubbed Tonto Team by FireEye, operates from the same region of China as previous North Korean hacking operations. The other is known among threat researchers as APT10, or "Stone Panda"—the same group believed to be behind recent espionage efforts against US companies lobbying the Trump administration on global trade. These groups have also been joined in attacks by two "patriotic hacking" groups not directly tied to the Chinese government, Hultquist told the Journal—including one calling itself "Denounce Lotte Group" targeting the South Korean conglomerate Lotte. Lotte made the THAAD deployment possible through a land swap with the South Korean government.