New CryptoLuck ransomware infects victims through legitimate GoogleUpdate.exe application and DLL hijacking
A Proofpoint security researcher has discovered a new ransomware, called CryptoLuck, that infects target computers through the legitimate GoogleUpdate.exe executable and DLL hijacking.
According to security researcher and exploit kit expert ‘Kafeine‘, CryptoLuck ransomware has been spotted being distributed via RIG-E exploit kit after redirection from compromised websites and malvertising.
While Kafeine only specifically saw this sample through advertising in the Adult web site space, he said there is a good possibility of it also being distributed through other sources such as compromised sites.
It is also noticed that it is not as common to find new ransomware infections being distributed via exploit kits, which may allow much wider distribution of the ransomware.
CryptoLuck ransomware is distributed using a self-extracting RAR SFX file that includes crp.cfg, GoogleUpdate.exe, and goopdate.dll files. The interesting part is that the GoogleUpdate.exe is a legitimate Google application which also signed by Google. After automatically extracting into the %AppData%\76ff folder, GoogleUpdate.exe executes silently. Because the ransomware developer knows that GoogleUpdate.exe searches for goopdate.dll file and loads this DLL file after it executes, he also placed a malicious goopdate.dll file inside the RAR archive in order to take advantage of this Google application. When the legitimate GoogleUpdate.exe file is executed it loads the malicious DLL with the ransomware related code rather than the legitimate one normally used by Google.
After infecting the target system, CryptoLuck scans local hard drives, mounted drives and unmapped network shares for files with certain extensions such as docx, xlsx, pdf, pptx, jpeg, jpg and others. Then it generates a unique AES encryption key for that file and encrypts the file using AES-256 encryption. This file’s encryption key is then encrypted with an embedded public RSA key, and the resulting encrypted AES key is embedded in the encrypted file.
After the encryption process, targeted files will have the .[victim_id]_luck extension appended to filename.
The original name of each encrypted file is then added as an entry under the HKCU\Software\sosad_[victim_idfile]\files key.
As a last step, CryptoLuck displays a ransom note named as %AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt. This ransom note contains instructions on how to download the decryptor, how to make the ransom payment, and it also informs the victim that he/she has 72 hours to pay the ransom. The ransom fee is 2.1 bitcoins (approx. $1500 USD).
Unfortunately, there is no encryption tool or method available yet for the CryptoLuck ransomware. Any tools or updates will be shared here.
(Image source: Kafeine)
* Please subscribe to our free newsletter using the form below to receive latest cyber security news, vulnerability alerts, security updates, malware alerts, how-to guides, data breach and DDoS news, and scam alerts.
831 total views, 3 views today