Reversing a Crypt0l0cker dropper

Ransomware – public enemy number one in today’s digital landscape. Malicious software designed to block access to a computer system until a sum of money is paid has become the most common form of cybercrime.

This week a client of ours was attacked by Crypt0l0cker, a known ransomware strain, which is making a comeback in European countries [1]. Luckily we were able to quickly localize all affected users and prevent the malice from spreading. Of course, after the fact I was curious to find out how the attack was carried out.

It all started with your typical email sent out to the financial department claiming to be a pending bill. The email contained a link to download a ZIP archive, which contained a JavaScript file. Once extracted and opened it would download and execute the malware.

As in any self-respecting cybercrime situation, the JavaScript file was obfuscated, preventing anybody from directly understanding what it was doing by just looking at the code. So the journey began by downloading the ZIP, extracting it and checking the code. The complete source code is available here and is over 500 lines long.

At first glance, it looks complex and cumbersome. But in reality, after tracing it with a debugger, it becomes rather simple and straight forward. The only relevant parts that need to be reversed are the following:

At this point it is already evident that this JavaScript code is designed for a Microsoft environment, as nobody else implements ActiveXObject. Additionally, we can already see that the run method will be called on this object. All that is left to do is to decode the actual command that will be executed.

By checking the values returned by each of the functions we get the following output:

The ActiveXObject created earlier appears to execute a powershell command, and to understand it we need to take this reversing exercise one stop further. The easiest way, again, is to pop a powershell CLI and check the resulting value inside the Invoke-Expression call, which leads us to the answer:

To conclude, the 500+ lines of obfuscated code amount to these 4 simple expressions that download the cryptolocker [2] from a hacked Vietnamese gift shop [3], and execute it, unleashing the encryption beast on the unsuspecting hard drive. As far as today goes, there are no known decryptors for this locker. The ransom is $500, which goes up to $1000 if it’s not payed by the first deadline. This means complete data loss and a system reinstall from scratch. Having a backup with all your important data is definitely the easiest, cheapest and most secure thing you can do to remediate the damage suffered from a Crypt0l0cker infection.


Recommended Posts