TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit

By on Mar 15, 2016

This post was written by Sriram P. and Varadharajan Krishnasamy.

TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware:

  • W97M/Downloader
  • JS/Nemucod
  • Angler exploit kit
  • Neutrino exploit kit
  • Generic downloaders

Last week, McAfee observed a novel approach in downloading TeslaCrypt using the Neutrino exploit kit.

Like other exploit kits, Neutrino redirects users to a malicious landing page that hosts exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of spam campaign.

Once successful, the exploit kit delivers a Trojan downloader and executes it on the victim’s machine. The payload then starts generating random domain names and contacts a remote server with the following parameters.

NK1

The variable “_wv=” is assigned to the Base64 text string “ZW50ZXI=” which decodes to the command “enter.”

The server responds with a 404 error page. The response for the command “enter” is present in the comments section of the HTML page, which is again a Base64-encoded (<!—c3VjY2Vzcw==—>) text that decodes to the response “success.”

NK2'

Upon receiving the success message, the malware responds with the same cookie-auth browser agent, along with a reply containing an encoded data.

NK3

The encoded data has the following format:

cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>

The compromised machine receives another 404 error page along with a download link that delivers a TeslaCrypt variant from the remote server.

NK$

The decoded comments section has the following format:

<random ldap timestamp>#<>#<>#LOADER hxxp://103.*****.148/*****.exe#

After successful execution, TeslaCrypt encrypts files in the victim’s machine and demands money to decrypt them.

We have seen the following domain names associated with this malware:

  • nutqauytva100azxd.com
  • nutqauytva11azxd.com
  • nutqauytva513xyzf11zzzzz0.com
  • nutr3inomiranda1.com
  • nutqauytva9azxd.com

These domains are already flagged by McAfee SiteAdvisor as malicious.

site

How to prevent this infection:

  • In spite of the availability of patches for known vulnerabilities such as CVE-2015-2419, CVE-2015-7645, and others, this exploit kit still targets these weaknesses. McAfee recommends users install the latest patches for Internet Explorer, Adobe Flash, etc.
  • We advise all users to be extra careful when opening unsolicited emails and clicking unknown links.
  • We strongly advise all users to block the preceding domain names.

McAfee products detect these TeslaCrypt variants as “Ransom-Tescrypt!<Partial hash>.”

 

 

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs