A new ransomware called Fantom has been discovered that disguises itself as a Windows update. When executed, like the latest ransomware variants, it will encrypt your files and later ask for payment to decrypt them.
The ransomware was written in C#. This code was retrieved from a publicly available ransomware framework. This was used by cybercriminals as an advantage in easily creating ransomwares.
To add to the deception, the file is labeled as a critical Windows update and it was from Microsoft as shown in the properties below.
Take note that you will never receive Windows Updates as an executable file.
Fantom, when executed, will extract and execute another file named as WindowsUpdate.exe. This will display a fake update screen like the image below.
Percentage seen is just a show while the ransomware does its work in the background.
A snip from WindowsUpdate.exe program:
Fantom ransomware uses the following methods in its code such as:
- extractResource(string embeddedFileName, string destinationPath)
- GetInt(RNGCryptoServiceProvider rnd, int max)
- CreatePassword(int length)
- RandomRansom(int length)
- AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes)
- KillCtrlAltDelete()
- RSAEncrypt(byte[] data, int keySize, string publicKeyXml)
- SelfDeleteWinupdate()
- SelfDelete()
- DelBack()
And as the names of the methods suggest that Fantom uses AES and RSA encryption, which it uses in encrypting targeted files. After encrypting, it will append .fantom extension to the files. In each folder it encrypts, it will create a DECRYPT_YOUR_FILES.HTML ransom note.
When encryption is finished, it will create three batch files with filenames delback.bat, update.bat and update0.bat. The first file will delete all shadow copies via “vssadmin delete shadows /all /quiet”. Update.bat will delete the executed file and the latter will delete the WindowsUpdate.exe file created prior to infection.
Fantom will also disable the Task Manager.
And as a final indicator that you were infected, it will change your wallpaper that will display the e-mail address for the victim to contact.
ThreatAnalyzer – Malware Sandbox Analysis
When the sample is executed in our malware analysis sandbox, ThreatAnalyzer, here is the process tree created by the malicious executable sample.
It also shows the network connections it created.
The ThreatAnalyzer Behavioral Determination Engine flags this as a 90% malicious file.
And one notable common behavior of ransomware is how it deletes shadows copies to prevent easy restoration of the system from the Windows backup.
It accomplished this by executing one of the batch files it dropped.
Prevent Ransomware Infections?
To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:
- Always keep your operating system, applications and security products patched and up to date
- Take precaution when opening attachments, especially when sent by an unknown sender
- Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
- Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
- Regularly back up your data
Hashes:
- fec89e9d2784b4c015fed6f5ae558e08 – WindowsUpdate.exe (Trojan.Win32.Generic!BT)
- 4ac83757ebf7acd787f732aa398e6d53 – criticalupdate01.exe (Trojan.Win32.Generic!BT)
- 7d80230df68ccba871815d68f016c282 – criticalupdate01.exe (Trojan.Win32.Generic!BT)
The post Fantom Ransomware: Windows Update Disguise appeared first on ThreatTrack Security Labs Blog.