Fantom Ransomware: Windows Update Disguise

A new ransomware called Fantom has been discovered that disguises itself as a Windows update. When executed, like the latest ransomware variants, it will encrypt your files and later ask for payment to decrypt them.

The ransomware was written in C#. This code was retrieved from a publicly available ransomware framework. This was used by cybercriminals as an advantage in easily creating ransomwares.

To add to the deception, the file is labeled as a critical Windows update and it was from Microsoft as shown in the properties below.

fantom critcal windows update

Take note that you will never receive Windows Updates as an executable file.

Fantom, when executed, will extract and execute another file named as WindowsUpdate.exe. This will display a fake update screen like the image below.

fantom ransomware update screen

Percentage seen is just a show while the ransomware does its work in the background.

A snip from WindowsUpdate.exe program:

fantom ransomware WindowsUpdate.ex

Fantom ransomware uses the following methods in its code such as:

  • extractResource(string embeddedFileName, string destinationPath)
  • GetInt(RNGCryptoServiceProvider rnd, int max)
  • CreatePassword(int length)
  • RandomRansom(int length)
  • AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes)
  • KillCtrlAltDelete()
  • RSAEncrypt(byte[] data, int keySize, string publicKeyXml)
  • SelfDeleteWinupdate()
  • SelfDelete()
  • DelBack()

fantom ransomware code

And as the names of the methods suggest that Fantom uses AES and RSA encryption, which it uses in encrypting targeted files. After encrypting, it will append .fantom extension to the files. In each folder it encrypts, it will create a DECRYPT_YOUR_FILES.HTML ransom note.

fantom ransom screen

When encryption is finished, it will create three batch files with filenames delback.bat, update.bat and update0.bat. The first file will delete all shadow copies via “vssadmin delete shadows /all /quiet”. Update.bat will delete the executed file and the latter will delete the WindowsUpdate.exe file created prior to infection.

Fantom will also disable the Task Manager.

fantom ransomware disables task manager

 

And as a final indicator that you were infected, it will change your wallpaper that will display the e-mail address for the victim to contact.

fantomd12@yandex.ru or fantom12@techemail.com

 

ThreatAnalyzer – Malware Sandbox Analysis

When the sample is executed in our malware analysis sandbox, ThreatAnalyzer, here is the process tree created by the malicious executable sample.

sandobx analysis fantom ransomware

It also shows the network connections it created.

fantom ransomware network connections

The ThreatAnalyzer Behavioral Determination Engine flags this as a 90% malicious file.

fantom ransomware analysis

And one notable common behavior of ransomware is how it deletes shadows copies to prevent easy restoration of the system from the Windows backup.

fantom-vssadmin

It accomplished this by executing one of the batch files it dropped.

fantom-batchfile

 

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

Hashes:

  • fec89e9d2784b4c015fed6f5ae558e08 – WindowsUpdate.exe (Trojan.Win32.Generic!BT)
  • 4ac83757ebf7acd787f732aa398e6d53 – criticalupdate01.exe (Trojan.Win32.Generic!BT)
  • 7d80230df68ccba871815d68f016c282 – criticalupdate01.exe (Trojan.Win32.Generic!BT)

The post Fantom Ransomware: Windows Update Disguise appeared first on ThreatTrack Security Labs Blog.