Introducing: Ransomware Tracker

Two years have passed since I published my last project, SSLBL. The past years have been very busy, so I couldn’t find any time for neither expansion of existing projects nor coming up with any new ones. However, in the past months I’ve seen so many people becoming victims of Ransomware, which motivated me to spend my time for a new project. Today I’m happy to announce my newest project, introducing: Ransomware Tracker.

Ransomware Tracker
The purpose of Ransomware Tracker is:

  • Providing an overview on internet infrastructure used by cybercriminals for their Ransomware operations
  • Providing hosting- and internet service providers (ISPs), law enforcement agencies (LEA) and national CERTs/CSIRTs intel on such infrastructure within their consticuency
  • Offering blocklists for internet users, enterprises and antivirus vendors and security solution providers
  • Giving internet users and enterprises a brief overview on Ransomware mitigation strategies

At the moment, Ransomware Tracker tracks the following Ransomware families:

  • CryptoWall
  • TeslaCrypt
  • TorrentLocker
  • PadCrypt
  • Locky
  • CTB-Locker
  • FAKBEN

More Ransomware families will be added to Ransomware Tracker in the future.
As for all of my tracking projects, Ransomware Tracker needs as much data as possible. New submissions for Ransomware Tracker are warmly welcome. You can send new additions to rt-RintANel@abuse.ch (remove all letters in uppercase). Malware binaries that you suspect to be associated with a certain Ransomware family can be send to rt-malwSOareM@abuse.ch (remove all letters in uppercase) for analysis.

I also want to thank Shadowserver for donating a hosting plan for Ransomware Tracker. In addition, I would like to thank My Online Security, TechHelpList.com and Dynamoo for their blogging efforts about new malware campaigns.

Spam Runs In Switzerland Spreading Tinba (Fake MMS and Job Applications)

Since yesterday there has been some massive spam runs that are distributing Tinba in Switzerland. Tinba (also known as Tinybanker, Illi and Zusy) is an ebanking Trojan that has been around for a few years now. While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet Command&Control (C&C) domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains.

Since yesterday, I have observed three distinct spam runs in Switzerland. The first one started on Jan 27, 2015 in the morning:

Tinba Spamrun 1

The spam emails pretend to be from generic bluewin.ch email addresses (bluewin.ch is a big free email service provider in Switzerland). However, if you look at the email headers its clear that the email is not coming from bluewin.ch itself, but from broadband lines all over the world (likely a botnet). The subject line looked like this:

  • IMGXXXXXX
  • BildXXXXXX

… where X refers to a random digit, for example IMG402302 and IMG402302.

The first spam run of today pretended to be from a Swiss Telecom provider called Orange (orange.ch):

Tinba Spamrun 2

Just like the spam run from yesterday, the emails are not really originating from orange.ch, but from broadband lines located all over the world. The spammers used different subjects:

  • Multimedia-Nachricht: XXXXXX
  • MMS Id: XXXXXX
  • MMS-Nachricht: XXXXXX
  • Multimedianachricht: XXXXXX

… where X refers to a random digit, for example Multimedia-Nachricht: 415465 and MMS Id: 446869.

The most recent spam run I could observe today was a bit different. Instead of pretending to be an MMS from Orange, the spam emails claims to be an application for an open job position:

Tinba Spamrun 3

Obviously, these spammers have a some difficulties with the Umlaute (öäü) used in German, which makes the email quite suspect. This time, the spam emails were forged to look like they were sent from GMX.ch (another big free email service in Switzerland and Germany). The subject line looks like this:

  • an sekretariat
  • AW: an sekretariat
  • AW: Bewerbung
  • Bewerbung
  • Fwd: an sekretariat
  • Re: an sekretariat
  • sekretariat
  • WG: an sekretariat
  • WG: Bewerbung

Let’s take a closer look at the sending IP addresses. If we match them against Spamhaus CBL it turns out that they are all Cutwail infected IPs:

$ grep -F -f ips.txt spamhaus_ecbl
122.52.217.71,AS9299,PH,cutwail
14.161.47.15,AS45899,VN,cutwail
203.146.176.122,AS4750,TH,cutwail
213.209.214.206,AS21309,IT,cutwail
69.79.224.18,AS23520,US,cutwail
78.189.19.41,AS9121,TR,cutwail
86.110.154.18,AS21309,IT,cutwail
[…]

If we take a look at the attachments spread using these spam runs, we see that multiple malware binaries have been spread:

IMG_0927886_27_01_2015.zip MD5 dededad4a9979aa4f23b56bf2c038e17
-> IMG_8703219_27_01_2015.jpeg.exe MD5 2b31753f4650673f76dc17c251d21e71

IMG-27012014-WA0057.zip MD5 f399947a97bcaf1b561b196e9966639d
-> IMG-27012014-WA0015.jpg.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9

Doc_Bewerbung-Januar2015.docx.zip MD5 5d2d057c4913be8e1ddb7187ea254491
-> Doc_Bewerbung-Januar2015.docx.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9

As mentioned earlier in this post, the malware that is being spread through these spam runes appears to be a non-DGA version of Tinba. The malware itself calls out to one of the following botnet Command&Control Servers (C&Cs):

hXXp://serfanteg.ru/gr/ (91.220.131.216 – AS44050 PIN-AS, Russia)
hXXp://f7huiyop.ru/gr/ (sinkholed)
hXXp://midnightadvantage.ru/pe/ (91.220.131.61 – AS44050 PIN-AS, Russia)
hXXp://t78hftuhi.ru/pe/ (sinkholed)

I recommend to block the mentioned domains (serfanteg.ru, midnightadvantage.ru) and IPs (91.220.131.216, 91.220.131.61) at your networks edge. I general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock. In addition, it would be a good advise to block filenames with multiple file extentions (e.g. .docx.exe and .docx.zip) on your email gateway.




Scene
Urgent!