As expected, the attackers have now come up with a new twist to step up TeslaCrypt infections through\u00a0a very strong spam campaign.\u00a0<\/strong>The attackers are consistently offering more sophisticated malware and social engineering techniques to distribute it. As a consequence, TeslaCrypt has become one of the most prevalent and hazardous threats in circulation.<\/p>\n The new spam campaign contains a .zip file as an attachment. The .zip contains a malicious JavaScript file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims\u00a0using social engineering techniques.<\/p>\n The contents of the JavaScript\u00a0file are highly obfuscated and contain a lot of junk code.<\/p>\n After deobfuscating the contents, the\u00a0code tries to download an executable from whatdidyaysay.com or iamthewinnerhere.com and stores it in the %TEMP% location.<\/p>\n Just one week after Nemucod, we saw new variants of W97M\/Downloader also downloading Teslacrypt. The spam email contains a document file attachment or a .zip attachment containing a document file. Using a fake invoice, attackers try to convince users into opening an attached .doc file.<\/p>\n To an unsuspecting user this email\u00a0looks like a legitimate urgent notice about an unpaid invoice, but after taking a closer look we realize it could be a phishing email. The macro code inside attached .doc looks like this:<\/p>\n The new variant is TeslaCrypt Version 2.2.0. This version encrypts users’ files and appends the filenames with a .vvv extension. The file extension changes regularly. (The previous version of TeslaCrypt used the file extension .ccc.) TeslaCrypt encrypts files using RSA-4096. The malware also drops two files on the victim\u2019s machine\u2014one plain-text file and an HTML file\u2014containing instructions on how to pay the ransom and receive a decryption key. The ransom message instructs the victim to install the anonymous Tor web browser and visit a Tor website for further instructions.<\/p>\n Let’s dig into the\u00a0code to understand more about this new version. Upon execution, TeslaCrypt\u00a0drops and executes a copy in %AppData% directory and deletes itself.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n To ensure only one instance is running, the malware\u00a0creates a mutex as “2134-1234-1324-2134-1324-2134.”<\/p>\n It then sets the EnableLinkedConnections registry to force Windows to automatically make the network drives available to both the standard and administrator accounts. This way, this ransom will be able to search and encrypt files on network drives and shares without any issues.<\/p>\n The malware\u00a0also creates an autostart registry entry to make sure its copy will be executed upon rebooting.<\/p>\n As with old TeslaCrypt variants, the new one removes the volume shadow copies from the target’s system, thereby preventing\u00a0the user from restoring the encrypted files. (Shadow copy is a technology in Windows that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, TeslaCrypt uses the command “vssadmin.exe Delete Shadows \/All \/Quiet.” This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.<\/p>\n TeslaCrypt\u00a0next\u00a0changes boot configuration data (BCD) by using\u00a0its command-line tool (bcdedit.exe) to disable some features, so victims\u00a0will have a hard time restoring or recovering encrypted files. BCD is a firmware-independent database for boot-time configuration data. It performs the following:<\/p>\n The remote server and configuration details are all encrypted in its body. The ransomware decrypts them first before attempting to connect to them. The following are the decrypted remote URLs found on the sample we analyzed:<\/p>\n This ransomware\u00a0created three malicious threads to perform the following:<\/p>\n The malware starts by calling the GetLogicalDriveStringsW API and lists all available drives in the system. It searches for the target files to encrypt in all fixed, network, and removable drives.<\/p>\n It also enumerates all network shares. Once a resource (drive or share)\u00a0is available, TeslaCrypt\u00a0searches for files to encrypt but avoids the following:<\/p>\n TeslaCrypt tries to encrypt files with the following extensions:<\/p>\n Finally, it creates three “Howto_Restore” encrypted files in the %Desktop% directory\u00a0and pop them on\u00a0the victim’s screen:<\/p>\n McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious macro, malicious JavaScript, and the TeslaCrypt payload as W97M\/Downloader.aht and JS\/Nemucod.ao, JS\/Nemucod.ap, and Ransom-Tescrypt![Partial hash], respectively,\u00a0with DAT Versions 8025 and later.<\/p>\n This post was prepared with the invaluable assistance of Rakesh Sharma and Diwakar Dinkar.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Nemucod, a malicious…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[3973],"class_list":["post-46790","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"\nNemucod’s spam campaign<\/strong><\/h2>\n
![\"Dec2015Tesla-zip](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-zip-attached-email-300x290.jpg\")
<\/p>\n![\"Dec2015Tesla-obfuscated](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-obfuscated-JS-295x300.jpg\")
<\/p>\n![\"Dec2015Tesla-deobfuscatedJS\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-deobfuscatedJS-277x300.jpg\")
<\/p>\nAfter Nemucod comes W97M downloader<\/strong><\/h2>\n
![\"Dec2015Tesla-doc](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-doc-attached-email-272x300.jpg\")
<\/p>\n![\"Dec2015Tesla-extracted](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-extracted-macro-300x151.jpg\")
<\/p>\nLooking into the new TeslaCrypt<\/strong><\/h2>\n
![\"Dec2015Tesla-dropcopy\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-dropcopy-300x260.jpg\")
<\/p>\n![\"Dec2015Tesla-Mutex\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-Mutex-1-300x60.jpg\")
<\/p>\n![\"Dec2015Tesla-RegEnableLinks\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-RegEnableLinks-300x209.jpg\")
<\/p>\n![\"Dec2015Tesla-RegAutoStart\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-RegAutoStart-300x197.jpg\")
<\/p>\n![\"Dec2015Tesla-vssadmin\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-vssadmin-300x182.jpg\")
<\/p>\n\n
![\"Dec2015Tesla-bcdedit\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-bcdedit-300x80.jpg\")
<\/p>\n\n
![\"Dec2015Tesla-Cnc\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-Cnc-300x95.jpg\")
<\/div>\n\n
![\"Dec2015Tesla-checkCnC\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-checkCnC-300x68.jpg\")
<\/div>\n\n
\n
![\"Dec2015Tesla-terminate\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-terminate-269x300.jpg\")
<\/div>\n\n
![\"Dec2015Tesla-GetDrives\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-GetDrives-300x181.jpg\")
<\/div>\n
\n![\"Dec2015Tesla-network\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-network-300x86.jpg\")
<\/p>\n\n
![\"Dec2015Tesla-filesearching\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-filesearching-300x121.jpg\")
<\/div>\n![\"Dec2015Tesla-ext\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-ext-300x121.jpg\")
<\/div>\n\n
![\"Dec2015Tesla-HowTXT\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-HowTXT-300x262.jpg\")
<\/div>\n\n
![\"Dec2015Tesla-HowHTML\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-HowHTML-260x300.jpg\")
<\/div>\n\n
![\"Dec2015Tesla-HowBMP\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Dec2015Tesla-HowBMP-300x275.jpg\")
<\/div>\n