April 29, 2015

Turn $1 into $100 right away…..Your personal files are encrypted!

Mark Haffenden Security Researcher

Those are the five words that no one wants to see pop up on their screen. Websense® Security Labs™ researchers have identified an interesting tactic in the proliferation of Crypto ransomware.

One published example exploits the very human vulnerability concerning the fear of receiving a parking fine. In more recent incarnations, attackers have chosen to use the sophisticated Angler exploit kit to leverage software vulnerabilities instead. What if you were offered a chance to turn $1 into $100 right away” or “Invest $1 today to make $1,000 tomorrow,” or asked “Do you need money?” Does that catch your fancy? The attackers certainly hoped the Polish victims they specifically targeted would be tempted.

tactic proliferation of Crypto ransomware

Crypto ransomware

This variant was initially identified by monitoring email campaigns that encourage recipients to click on URLs hosted on compromised pages. Spammers use compromised site URLs to ensure a higher click through rate in their messages.  Compromised sites are far less suspicious than newly registered websites even to a perceptive victim. What's interesting is that attackers are having compromised sites deliver spam in most cases, but when a potentially targeted victim arrives at the compromised site, they get redirected to malware. In this case, the malware is Teslacrypt delivered via the Angler exploit kit. As a side note, Teslacrypt has also been delivered via various other exploit kits in the past.   

By emulating the lure URL in the Websense File Sandbox, we were able to track the infection chain starting from the email lure, through to the Angler exploit kit, to the eventual execution of Teslacrypt on the system. The attacker did go to great lengths to use as much stealth as possible to evade detection at various stages of the attack kill chain.

There are 3 very significant benefits to the attacker in using the Angler exploit kit:

  1. Angler provides "1 click" infection. Victims have significantly lower chances of realizing that what they are being asked to do is not legitimate.
  2. Angler provides "fileless" delivery. The malicious application is never written to the victim’s hard drive, thereby greatly reducing the chance of detection by anti-virus (AV) software. Angler has been shown to scan for AV before deciding whether to write malware to the system or store it in memory.
  3. Angler provides encrypted malware delivery. The downloaded malware does not look like an executable on the wire. This decreases the chance of detection at the network level.

The report below shows the Websense File Sandbox analysis for the file-based delivery of TeslaCrypt:

Websense File Sandbox analysis of TeslaCrypt

The command and control communication is shown below:

command and control communication

The raft of suspicious behaviors allows the file-based delivery to be more easily identified as a malicious executable. The fileless delivery method adds significantly more stealth to the infection process.

Static detection was significantly less effective than sandbox analysis with only 20% Virus Total detection at the time of writing this blog.

static detection

This low detection rate will only get worse with the fileless delivery mechanism, since anti-virus software may not even get a chance to analyze the file.


Websense customers are protected at the time of initial email delivery via TRITON AP-EMAIL. Should users reach malicious content, protection is offered via ACE, the Websense Advanced Classification Engine, at the different stages of the attack kill chain as detailed below:

  • Stage 2 (Lure) – ACE has protection against malicious email delivery and websites injected with malicious content leading to exploit kit content
  • Stage 3 (Redirect) – ACE has protection against redirections known to be associated with Angler
  • Stage 4 (Exploit Kit) – ACE has protection against the Angler exploit kit
  • Stage 5 (Dropper) – ACE file sandboxing identifies malicious binaries associated with Angler and TeslaCrypt
  • Stage 6 (Call Home) – ACE has detection for command and control traffic known to be associated with Teslacrypt


In the case of the email lure, the attackers injected code onto compromised sites and sent links to this content via email.  Websense researchers were able to create an analytic to track this injected code across the billions of pieces of web traffic analyzed by its products every day. From this, we were able to identify that attackers used the compromised site in an opportunistic way to deliver spam to the masses, but malware to targeted victims. In this case, the code is injected onto popular sites and used to infect passing trade.  Telemetry shows that code has been successfully injected into a number of popular sites. Given the recent upsurge in TeslaCrypt infections and the fact that Angler has been known to be involved in several high profile incidents, there is every reason to believe that the attackers made every attempt to infect as many users as they could opportunistically. This zero click or drive-by mode of infection gives the victim a remote chance to make the correct choices to prevent infection. Defense-in-depth is required at various stages of the attack kill chain to deal with complex threats such as these.

Contributor: Mark Haffenden with input from Nicholas Griffin, Ran Mosessco, Rajiv Motwani, and Jose Barajas.

photo credit: https://www.flickr.com/photos/nikcname/


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.