Meet Ransom32: The First JavaScript ransomware

Discussion in 'malware problems & news' started by stapp, Jan 1, 2016.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Worth noting:

    So what is NW.js exactly? NW.js is essentially a framework that allows you to develop normal desktop applications for Windows, Linux and MacOS X using JavaScript. It is based upon the popular Node.js and Chromium projects. So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything “normal” programming languages like C++ or Delphi can do. The benefit for the developer is that they can turn their web applications into normal desktop applications relatively easily. For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms. So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and MacOS X.

    This also means, that at least in theory, Ransom32 could easily be packaged for both Linux and Mac OS X. That being said at this point we haven’t seen any such packages, which at least for the moment makes Ransom32 most likely Windows-only. Another large benefit for the malware author is that
    NW.js is a legitimate framework and application. So it is no surprise that even almost 2 weeks after the malware was first created, signature coverage is still incredibly bad.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    So this thing doesn't actually use a Chrome JS sandbox escape... Rather, it repackages the Chromium browser, in a 22 MB fake screensaver file, which is actually a self-extracting RAR archive.

    Pathetic. Absolutely pathetic.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    Not very sophisticated but I guess it does it's job. There are still enough users that will run random exe when they get one in their inbox.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    My interpretation of the Emsisoft article is this ransomware will be delivered via browser download.
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Some of the malware attachments I get are not .exe files, they are .js files. Javascript is being used to code malware these days. Time to take script blocking seriously as an essential security measure and check which browser or app is the default .js handler. It should be sandboxed. There might be an attempt to download an executable if the .js file is run but there are many other nasty things that could be coded with javascript that don't involve that.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    I didn't find it mentioned in article. It is delivered as self extracting WinRAR archive so a user still has to run it.

    Yes I got few of them also (encryptors). I've added JS file attachment to SRP designated file types, so they automatically get blocked.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Would you elaborate?

    I found the article confusing in this regard. It seemed more like an advertisement for their product:
    Protection should begin at the delivery point, not after the fact.

    ----
    rich
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Rich

    From my playing with some nasties, Emsisoft products usually nail them when extracting them from the zip files. I would consider that the delivery point. Also I've found if you try and download unzip nasties they are usually stopped at that point.

    Pete
     
  10. Secondmineboy

    Secondmineboy Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    83
    Location:
    Germany
    Its incredible to see so many AVs failing on this new Ransomware.

    And this is just the beginning of such stuff, soon enough Macs will have this stuff day in day out as said its universal for Linux,Mac and Windows
    computers.

    AV-Vendors need to move their engines and features to something fitting this stuff like scanning all files no matter if theyre legit or not, but that would
    end up in higher resource usage, but then again PCs get much faster the last years.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Secondmineboy

    Doesn't matter. It's social engineering, not an exploit. You have to actually download open the thing.
     
  12. Secondmineboy

    Secondmineboy Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    83
    Location:
    Germany
    Maybe at some point no longer needed. :)

    They develop malware, AV Vendors develop AVs, it a cat and mouse hunt basically. AV Vendors need to stay on top otherwise they have lost.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Desktop apps have unique privileges not normally available from web apps, such as the ability to write files directly to disk. The NW.js object allows you to use such features.

    It downloads as a .scr file which is actually a self-extracting WinRAR. Chrome.exe is actually a NW.js object that will run under DOM. Hence, the difficulty of AVs detecting it.

    To date, most ransomware has arrived as a .zip or in a macro of .doc e-mail attachment.

    This also might be a factor with this malware: http://seclists.org/fulldisclosure/2015/Sep/106

    Interesting comment on this:

    LogicDaemon October 6, 2015 at 8:26 am #

    More info: this is vulnerability in OLE component of IE, and only works for unpatched machines.
    via
    http://habrahabr.ru/company/defconru/blog/267983/#comment_8597139

    I'll translate:

    To author of this thread: lukasafonov! obviously, seasoned hackers of DefconRu could not understand that it it not exploit, but script-kiddies ripped bullshit.

    Firstly, this is not a vulnerability, it's feature of Winrar to embed arbitrary HTML code. Second, the "exploit" is a remake of the CVE-2014-6332 / MS14-064 (decode the payload code from base64). Proof №1:

    https://github.com/rapid7/metasploit-framework/blob/3347b90db7e6ebc143aa9b4a46ac0da10240db17/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb.

    Here another script-kiddie R-73eN declares that he is the real author of this steep «exploit»:
    http://www.darknet.org.uk/2015/10/winrar-vulnerability-is-complete-bullshit/#comment-164931


    In fact, the real author of the vector - Chinese researcher yuange. This RCE for Microsoft Internet Explorer Windows OLE Automation Array he researched back in 2009. Proof №2:

    https://twitter.com/yuange75/status/532407606644457472.

    For those who still do not understand the essence, I try to explain on the fingers:

    1) The problem is not directly connected with WinRAR - it is a bug OLE component MSIE.
    2) Vulnerability CVE 2014-6332 works only on non-patched boxen.
    3) With the same success tons of foolish exploits can be washed in for most programs that use standard component of a Web browser (any software that is written using such IDEs as the Delphi, Visual C ++ Builder, etc).
    LTR; DR.

    Ref.: http://www.ghacks.net/2015/10/01/winrar-disclosed-self-extracting-archive-vulnerability-is-none/
     
    Last edited: Jan 2, 2016
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Pete,

    Thanks for the clarification about Emsisoft. The article didn't elaborate about how their protection works. It sounds effective.

    Nonetheless, I consider the initial delivery point to be how this malicious 22MB self-extracting ZIP file got onto the computer in the first place, which I didn't find explained in the article:
    • user error in downloading something?
    • drive-by exploit?
    It just isn't clear to me from the article. What is your sense of it?

    ----
    rich
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Probably opening a bad attachment in an email. A lot of the ones I get have .js files in them.

    Pete
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the information. 22MB is a huge attachment!

    ----
    rich
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That sounds plausible.

    ----
    rich
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    IMO browser vendors should allow only trusted publishers to run javascript scripts on the browser. The vast majority of people know nothing about computers, so the browsers must protect these users. Either the browsers, or the OS publishers.

    What I'm really afraid of is when big players (like Google or Facebook) get hacked and distribute malware through their "signed and trusted" pages.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    LOL, but what I didn't know about is that JavaScript could also be used to develop apps. Well, I did know about it, but didn't understand how. The Vivaldi developers are also using it, to build the GUI.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Continuing my reply #13 comments, again note the excerpt from the Emsisoft article:

    The malware uses the script language implemented in WinRAR to automatically unpack the content of the archive into the user’s temporary files directory and execute the “chrome.exe” file contained in the archive.
    I came across this interesting comment:

    Why go to such trouble when you could bind malware directly to the SFX archive and have that execute.

    Ref: http://www.darknet.org.uk/2015/10/winrar-vulnerability-is-complete-bullshit/

    This technique is shown here: http://web.textfiles.com/ezines/EUROHACKER/ISSUE2/a15.html

    So this new Ransom32 variant shows that the developers are getting more creative and definitely more dangerous.

     
    Last edited by a moderator: Jan 2, 2016
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039

    I hope that never happens. First I don't like software telling me what I can and can't do. 2nd, "trusted" is now a marginal things.
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    Me too. That's why I, upon installing NoScript, remove every allowed website on their list. For some reason Google, Yahoo, Microsoft, Facebook, are all allowed to run. I don't like that :) I use a separate sandboxed browser to use these websites.
     
  23. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Either could potentially be hacked but I don't think it's all that likely to happen and if it did, it wouldn't last long or compromise their entire system, just some part of it. There was the Chinese hack of Google Adobe and other corporations a few years ago. http://www.wired.com/2010/01/operation-aurora/. That shows that it could indeed happen but I'm more worried about malware coming from users of Facebook and Google just using and abusing their systems. That happens all the time.
     
  24. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    It doesn't repackage Chromium. NW.js is a legit framework that is used by hundreds of applications. The framework uses Chromium to render HTML and V8/node.js to execute the code and allow to interact with existing JavaScript modules. NW.js is pretty much just like for example the .NET Framework. Just that instead of having to install the framework separately, you can bundle it all into a single executable.

    Actually, in my opinion, this was not done by amateurs. Far from it actually. December was full with new ransomware popping up everywhere and I broke more than 10 different families/variants just past month. Those were done by amateurs. Ransom32 gets the entire crypto scheme right, which believe it or not is harder than you may think. Implementing cryptography properly is a big deal and they got it right.

    Is their choice of framework and tools unusual? Yes, it is. But then again, even 4 days after I wrote the article nobody detects it. In addition, reversing this threat is a real pain, due to the way NW.js allows you to save the internal state of the JavaScript virtual machine in a binary format, to obfuscate the code. There are literally no tools available to my knowledge that can disassemble the internal representation of V8, which is the JavaScript engine that powers all of this. Not to mention that it would take less than a couple of minutes to make this work for MacOS X or Linux given the tools they use.

    It think the mistake many make is that because of the file size it must be horrible. Downloading 22 MB on my connection takes less than 2 seconds and I don't even have the fastest connection speed available around here. I doubt most of the people reading here would notice a 22 MB download going on in the background if a small 10 kb downloader or dropper chose to schedule it using BITS for example. So the file size is not prohibitive at all. May actually turn out to be beneficial, given that some tools will skip files over a certain size.

    Nope. That is just how a crook who chooses to get affiliated with Ransom32 obtains the malware. How said crook chooses to distribute the malware is entirely up to him. Exploits, mail spam, social engineering, paying botnet owners to distribute his file to already infected computers, it's completely up to them and their creativity.

    Yes, dismiss the 1000+ word analysis because I "dared" to answer the first question any of our customers will ask the moment they stumble upon this article in our company blog. :rolleyes:

    Wouldn't help in this case.

    Using WinRAR SFX archives is not a creative method to deliver malware and has been in use for over a decade. The majority of the more crappy Bitcoin miners were delivered this way. It's also not new for ransomware. Check out this example from 4 years ago:

    http://blog.emsisoft.com/2012/04/11...family-ransomware-targetting-windows-servers/

    In the end it is just the default delivery form the malware author chose. Nothing prevents someone to repackage it into something else.
     
    Last edited: Jan 3, 2016
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    @Fabian Wosar
    Thanks for explanation - especially about cryptography implementation.
    One more question: did you upload other components to Virustotal also? (s.exe and both vbs files). Is any of them detected by other AM software?
     
Loading...