New Radamant Ransomware Kit

Discussion in 'malware problems & news' started by itman, Dec 20, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This puppy uses Windows directory:

    Files associated with the Radamant Ransomware Kit:

    %Desktop%\YOUR_FILES.url
    C:\Windows\directx.exe

    Registry entries associated with the Radamant Ransomware Kit:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost C:\Windows\directx.exe

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost C:\Windows\directx.exe

    Ref.: http://www.bleepingcomputer.com/new...re-kit-adds-rdm-extension-to-encrypted-files/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was thinking, normally HIPS will trust apps inside C:\Windows\, but only if they're "Microsoft signed". And EXE Radar will also block applications from running if it's not a system file.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes it will. Moreover, I decided to not "Allow all software from Program Files folder" on ERP. At first time it was a nightmare of pop ups in a row but made use of Learning Mode" by opening all my stuff (spent 30 minutes doing so) now the "kid" is quiet.
     
    Last edited: Dec 21, 2015
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Notepad, explorer, and write are few .exe's in C:\Windows that are unsigned. So, not sure about the signed apps check. Also, depends on the HIPS options in this area.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I still have this option enabled, it's a risk in theory, but if the exploit can't run, it's not a big deal.

    Yes correct, but according to Andreas (developer of ERP), Windows has got a certain API that can tell you if some app belongs to the Windows OS or not. So even if they don't have a signature, security tools can still decide if the app is legit or not.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Interesting. Appears there already is existing Trojan named directx.exe: http://www.bleepingcomputer.com/startups/DirectX_Service-14356.html . Suspect malware author just modified it to run in Windows versus Windows\System32 directory.

    Don't know why malware author would create a svchost sub-key. Perhaps some AV software ignores entries created as such? Or, Bleeping hasn't fully identified it. My bets are that is the case and the bugger is indeed installed as a service; just like the prior Trojan ver. was.

    Best way to block it is HIPS rules to prevent mods to the registry keys it uses. Also if infected, don't reboot your PC until all traces are removed. The encryption of files will occur at reboot.
     
    Last edited: Dec 21, 2015
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I run ERP telling it to ignored signed apps. Also I don't automatically allow windows or program files stuff. I white listed what's there but if a new kid shows up, it needs permission. Also Appguard blocks writing to any system folders and can block access of guarded apps to data areas
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I understand everything you've said Peter but the part "I don't automatically allow windows..."
    Do you mean you've unchecked "Allow Microsoft Windows system protected processes" box?
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I also have this feature enabled, like I said, if some app manages to write to the system folders, ERP will still block it, because Windows let's ERP know if it's a system file or not, with or without signature.
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks for the clarification although I still want to know Peter's reply.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I know, I just wanted to post some general info. But it's likely that Peter2150 has indeed disabled this feature. But for convenience it's better to leave it enabled, IMO.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If this is a resurrection of the old Trojan, it can install anywhere and can run under any name: http://www.threatexpert.com/files/DirectX.exe.html . Best way to protect against this is AV signature or HIPS registry keys blocks.

    -EDIT-

    Emsisoft has a sig for it so that is all I care about: http://www.isthisfilesafe.com/sha1/31FFA977ABC99EBCC17C64AF5C87982B7E37F6FE_details.aspx

    Also directx.exe is a signed file by guess whose cert.?

    Certificate

    Status: Valid
    Company: IT AUDIT AND COMPLIANCE SERVICES LLC
    Start: November 10, 2015
    End: November 10, 2016
    Serial: 00BB3CCAF99CC223A1AD34177B638A3BC8
    Authority: COMODO RSA Code Signing CA

    Only 10 AVs so far detect it at Virustotal. Eset is also one of them.:thumb: Interestingly, Symantec version VT uses doesn't. Perhaps a difference in Endpoint versus Norton sigs.?
     
    Last edited: Dec 22, 2015
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    MisterX I do indeed uncheck that option as it would allow anything their run

    Rasheed where did you get that information?
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    That's my opinion too now that I was re-studying my security apps and their config and potential breaches or flaws by default. Good to know I can tighten security even more with ERP.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Andreas has told me that it won't allow anything to run, if that setting is enabled. It will still block apps that are not related to the Windows OS.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay. Thanks.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    When you think about it, leaving this feature enabled has a big advantage, because if ERP blocks something from inside the system folders, you will already now that something fishy is going on.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Ask Andreas what Win API he is using that will determine if a file is a system file. The only thing I know that will do so is system file checker i.e. SFC.

    Starting with WIN 7, windows processes run in Session 0. Session 0 is reserved exclusively for services and other non-interactive user applications. Users who are logged on to Windows and their user applications must run in Session 1 or higher.

    However, session level can be overridden using software such as PSEXEC as noted below:

    To launch cmd.exe in session 0, use psexec from Sysinternals.

    psexec.exe -s 0 cmd.exe

    Now you have a console running in session 0,

    you can also start cmd.exe in session 0 and display GUI:


    psexec.exe -s -i 0 cmd.exe

    that way when you switch to session 0, the cmd.exe will be waiting for you there.

    You have as many rights as you can get in Windows 7 using PSEXEC.

    Ref. http://superuser.com/questions/426868/interactive-session-0-in-windows-7

    -EDIT- The version of PCEXEC the hackers use is PS2EXEC. You can read about it here: https://www.wilderssecurity.com/thre...powershell-malware.380590/page-3#post-2549580
     
    Last edited: Dec 23, 2015
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep, Fabian and Emsisoft are awesome indeed.
     
  22. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    If you mean file verification, then most likely a similar method to what is shown here.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    All that is doing is validating if a file is signed. Many files in %Windows% are not signed. Files in %Windows\System32 or SysWow6432 should be signed but not all are MS signed; e.g. graphic card driver files. Malware can also be signed.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Exactly and this posses a huge problem. Suffice reason for me to not allow Programs Folders and Windows system protected processes in ERP
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Here is some more info. I think that with these API's, security tools can figure out of it's a "Windows Protected File" or not. I'm not sure if you can classify these files as "Microsoft signed", but I believe SpyShelter also uses this method to figure out if a .exe file is legit or not.

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa382536(v=vs.85).aspx
    https://technet.microsoft.com/it-it/sysinternals/jj919409#

    Wrong, at least when it comes to the Windows system folder, I already explained, see above.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.