Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files

By Kawabata Kohei, Joseph C. Chen, and Jeanne Jocson

Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While most ransomware directly sends the gathered information to their designated C&C servers, there are some variants that slightly differ. CuteRansomware, for instance, uses Google Docs to pass information from the infected system to the attackers.

One of the latest ransomware families, CryLocker (detected as RANSOM_MILICRY.A), does the same by taking advantage of Imgur, a free online image hosting site that allows users to upload and share photos to their contacts. During our monitoring of activities related to exploit kits, we spotted both Rig and Sundown distributing this threat.

This is the first time we saw the use of Portable Network Graphics (PNG) files to package the information harvested from the infected system. The PNG file is also the means for cybercriminals to track their victims. After gathering the information from the user’s system, this ransomware sends the PNG files to an Imgur album. The perpetrators primarily employed this tactic to evade detection and remain hidden on the system. We’ve already notified Imgur regarding CryLocker’s unscrupulous practice on their service.

Figure 1. Screenshot of the victim data packaged as .PNG file and sent to an Imgur album.

Arrival method and analysis

A malvertising (malicious advertising) campaign was found to be distributing this ransomware through Rig exploit kit last September 1. From September 2 onwards, this campaign stopped pushing this threat as their payload. Upon closer inspection to the uploaded PNG files in Imgur, the initial information we spotted there was encrypted as early as August 25.

Figures 2-3. Traffic of Sundown and Rig exploit kits

We spotted the Sundown exploit kit distributing the ransomware through malvertising last
September 5, but introduced a few changes. For example, the attackers change the desktop wallpaper to the ransom note that they call “CryLocker.” As of posting, the total victim information stolen has increased to 8,000.

Figure 4. Number of uploaded victim info in the C&C (Aug 25-Sept 5, 2016)

Figure 5. CryLocker’s ransom note

Based on our analysis, CryLocker changes the file extension of encrypted files to *.CRY. This is similar to the file extension that Buddy Ransomware uses. However, the similarity is limited to that characteristic as our analysis of the two ransomware shows that their file structures are different.

Interestingly, this ransomware creates copies of the files that it targets to encrypt before it deletes the original files. The use of disk recovery tools can recover the encrypted files, but the file size should be less than 20MB.

Some of the information that CryLocker gathers are the users’ WiFi Access Point information (Mac, SSID, SS, etc.) It also attempts to get the users’ geolocation or browser location through the Google Maps Geolocation API. It checks if the file C:\Temp\lol.txt exists and if it does, the malware does not encrypt any files. Other routines like deleting shadow copies and displaying the ransom notes are still done once the file is found. We saw this routine in the new samples (SHA1: 4bf164e49e4cb13efca041eb154aae1cf25982a8), which makes us wonder if the attackers forgot to strip the said features or source codes or if it’s really done on purpose.

It also gets the keyboard layout by calling windows API, GetKeyboardLayoutList. It then checks the system’s language identifier. It does not exhibit any ransomware-related behavior and will just exit the system if the following languages are detected:

Belarusian
Kazakh
Russian
Sakha
Ukrainian
Uzbek

This kind of ‘filtering’ routine was previously implemented by Andromeda bot.

Figure 6. Code snippet of the API, GetKeyboardLayoutList

Looking deeper into the threat’s C&C communications

As previously mentioned, this malware attempts to send information from the system to a specific album in Imgur. If this fails, it sends the data to pastee.org, a paste tool service similar to Pastebin. However, its server seems to be offline as of posting.

Another alternative is sending it to a certain IP address via UDP (port 4444) when sending to Imgur or Pastee does not work properly or if the data size is small.

Figure 7. The malware tries to send information from the infected system to Pastee.org

Upon checking the network traffic, the hit to pastee.org/submit and imgur.com/upload/checkcaptcha both contain a malformed user agent.

Figure 8. Network traffic showing a malformed user agent

The malware developers did not follow the proper PNG file format and header, which makes it malformed. Although the PNG file has a valid file header, it does not contain an image but the system information as ASCII strings. This tactic is different from another technique called steganography, which hides secret messages; in the case of cybercrime, hidden files or information.

Figure 9. No image can be previewed from the PNG file.

Best practices

Cybercriminals commonly take advantage of the loopholes of legitimate websites and cloud services to conceal their identity and operations. Given that, it is critical for these services to strengthen their security guidelines and restriction policies. In this case, it’s recommended for image hosting services to add a step in the upload process to check if the image file type is what they really are. This means that if the PNG files are malformed, the system can identify and reject them automatically.

Trend Micro protects businesses and users from this threat by detecting the malicious file and blocking the related malicious URLs. Our solutions can block CryLocker at the exposure layer and prevent it from doing any damage. We also offer other layers of protection for endpoints, networks, and servers.

TippingPoint customers are protected from this attack with the following MainlineDV filter:

39144: HTTP: Ransom_Milcry.A Checkin – to be released on Sept 13, 2016

The malicious network activities of this threat can be detected via the following Deep Discovery rule:

2131: RIG – Exploit Kit – HTTP(Request) – Variant 3

PROTECTION FOR ENTERPRISES

Email and Gateway Protection

Trend Micro Cloud App Security, Trend Micro^TM Deep Discovery^TM Email Inspector and InterScan^TM Web Security address ransomware in common delivery methods such as email and web.

Spear phishing protection

Malware Sandbox

IP/Web Reputation

Document exploit detection

Endpoint Protection

Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

Ransomware Behavior Monitoring

Application Control

Vulnerability Shielding

Web Security

Network Protection

Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

Network Traffic Scanning

Malware Sandbox

Lateral Movement Prevention

Server Protection

Trend Micro Deep Security^TM detects and stops suspicious network activity and shields servers and applications from exploits.

Webserver Protection

Vulnerability Shielding

Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

Protection for Small-Medium Businesses

Trend Micro Worry-Free^TM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

Ransomware behavior monitoring

IP/Web Reputation

Protection for Home Users

Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

IP/Web Reputation

Ransomware Protection

Related SHA1 hashes to this attack: