Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. The malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the Bitcoin cryptocurrency.
In addition to using the ‘.locky’ filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. This is not the first time PowerWare has imitated other malware families, as earlier versions have been known to use the CryptoWall ransom note. Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family.
Unit 42 has written a Python script that will recursively seek out .locky files on a victim machine and restore them to their original state. The decrypter can be found here.
Analysis
Initial analysis of PowerWare showed that this sample is a .NET executable. After careful inspection of the malware using a .NET decompilation program named dnSpy, we witnessed the word “PowerGUI” from Quest Software. This allowed us to immediately know that the malware was using the PowerShell script editor that converts PowerShell scripts to Microsoft executable files.
Figure 1 PowerGUI referenced within the decompiled malware variant
Figure 2 Decompiled Main() function
Upon closer inspection of the .NET executable file, we discovered that it’s using ScriptRunner.dll to unpack a PowerShell script, named fixed.ps1. This unpacked file is dropped to the following location:
In reality, this .NET Microsoft Windows executable is only responsible for unpacking an embedded script and running it with PowerShell.exe. The script resides inside a ZIP file, named Scripts.zip. This file is located in the resources section of the file as shown in Figure 3.
Figure 3 Scripts.zip embedded within the malware’s resource section
As the Scripts.zip file is embedded within the malware without any obfuscation, we can easily extract this ZIP file using dnSpy. This in turn allows us to obtain the compressed PowerShell script within.
The PowerShell script is very similar to other PoshCoder/PowerWare variants. This sample uses AES-128 encryption with a hard-coded key, which would allow victims to decrypt files without paying, as seen in Figure 4. It doesn’t include a network beacon that tries to transmit randomly generated bytes for the key like some variants have been known to do.
Figure 4 Encryption setup for PowerWare variant
The PowerShell script automatically scans the victim’s machine for files with the extensions listed below and then proceeds to encrypt them.
Figure 5 List of file extensions encrypted by PowerWare
PowerWare then appends the .locky extension to the files it encrypts like the infamous Locky malware. It also writes a HTML file with the name ‘_HELP_instructions.html’, which is identical in wording to the Locky ransomware family. This ransom note is dropped into folders containing encrypted files.
Figure 6 PowerShell code used to mimic the Locky malware family
Figure 7 PowerWare ransom note using same wording as Locky
In the event users wish to pay the ransom, they may navigate to a provided website, such as the one below. The site provides instructions on how Bitcoin may be purchased, and once again we see references to the Locky ransomware family, which this variant is clearly mimicking.
Figure 8 Decryption website
Decryption
As mentioned previously, since the malware uses a static key, decryption of victim’s file is possible. The malware actually only encrypts the first 2048 bytes of the targeted files, as witnessed in Figure 9.
Figure 9 Example of a file encrypted with the PowerWare variant
The following screenshot shows an example of the script running on an infected Windows machine.
Figure 10 Decrypter script being executed
It is our hope that this script will assist victims that have been affected by this variant of PowerWare.
Conclusion
While this sample may appear to be new, it is in fact a variant of the previously discovered PowerWare malware family. Unlike other variants, this sample purports to be the Locky malware family.
Palo Alto Networks customers are protected from this threat in the following ways:
All domains and IP addresses associated with this malware are correctly flagged as malicious.
All samples encountered within this campaign are correctly identified as malicious by WildFire.
An AutoFocus tag exists for the tracking and identification of this malware family.
As mentioned in our previous blog, we observed the Sofacy group using a new persistence mechanism that we call “Office Test” to load their Trojan each time the user opened Microsoft Office applications. Following the report, we received several questions regarding this persistence method, specifically how it works and which versions of Microsoft Office were affected. This blog will serve as a technical analysis of this persistence method that security professionals and network defenders can use for awareness, as we believe it is likely additional threat groups will begin using this technique.
We have added a malicious behavior tag named OfficeDllSideloading to AutoFocus for Palo Alto Networks customers to track the usage of this persistence method.
Office Test Backstory
During our analysis of the delivery document used by the Sofacy group in recent targeted attacks, we saw the document create the following registry key:
Based on our analysis, adding a path to a DLL to this registry key would load the DLL each time a Microsoft Office application was opened. We had not seen this registry key used for persistence before, so we looked into how this registry key results in the execution of a malicious payload. We checked a clean system with Microsoft Office installed, and confirmed that it did not have the key in the registry, as seen in Figure 1.
Figure 1 Windows Registry does not have the “Office Test” key by default with Microsoft Office Installation
We checked our WildFire data and found only a handful of samples using this registry key for persistence, all of which were used to load the Carberp variant of Sofacy. At the time, we thought the Sofacy group had discovered a new persistence technique, but to our surprise,Hexacorn had revealed this registry key in an April 2014 blog post. This suggests that the Sofacy group may not have discovered this persistence technique themselves, and as threat actors often do, absorbed an existing technique into their playbook.
DLL Loading Process
To determine how this registry key executed the malicious DLL, we analyzed activities that occur when the user opens the Microsoft Word application. We chose to analyze Word because we knew from our research on the Sofacy attacks that Word loaded the Trojan’s malicious DLL; however, other Microsoft Office applications were also discovered to be susceptible to this persistence method, which we will elaborate on in the next section.
Figure 2 below shows the API function calls during the startup process that are related to the registry key. The API calls show Word (WINWORD.EXE) loading “wwlib.dll”, which is a legitimate library loaded by Word at runtime. The “wwlib.dll” library opens the registry key in question, queries its default value (NULL in Figure 2) and then loads the malicious DLL (“btecache.dll”) stored within this key using LoadLibraryW.
Figure 2 API functions called by Word that Loads Malicious DLL
The last activity seen by “wwlib.dll” in Figure 2 involves an attempt to open a handle to the same registry key within the HKEY_LOCAL_MACHINE hive, as follows:
The attempt to open this key fails because the key does not exist with a default installation of Microsoft Office. In addition, using this registry key for persistence purposes is not ideal because the actor would need elevated privileges to modify registry keys in the HKLM hive. Instead, the threat actors created the “Office Test” registry key in the HKCU hive, which only requires the current account privileges to modify the key with a path to a malicious DLL.
In the Sofacy attacks, the actors added its loader Trojan named “btecache.dll” (Figure 2) to the “Office Test” registry key. The loader Trojan locates and loads a second DLL from “C:\ProgramData\svchost.dll” into Word, as seen in Figure 3 and exits. The “svchost.dll” contains the functional code of the Carberp variant of the Sofacy Trojan, which remains running in Word until the user closes the application.
Figure 3 The payload “svchost.dll” running within Microsoft Word
Purpose of the Office Test Key
Based on the activities in the startup process, we saw the legitimate “wwlib.dll” library loading the malicious DLL from the registry key. We wanted to know why “wwlib.dll” would load a DLL from a key that was not added to the registry during the installation of Microsoft Office. Static analysis of “wwlib.dll” revealed that the DLL loads the library from the registry key, then attempts to resolve and call an API function named “_GetPerfhostHookVersion@0” from the loaded library, as seen in Figure 4.
Figure 4 Code within wwlib.dll that loads a DLL from the registry and attempts to resolve and call _GetPerfhostHookVersion@0
When “wwlib.dll” uses the LoadLibraryW function to load the DLL from the registry key, it runs the DllEntryPoint exported function in the DLL. In the case of Sofacy’s “btecache.dll”, the DllEntryPoint function locates the second DLL called “svchost.dll”, loads and runs its functional code. The “btecache.dll” file does not contain an exported function named “_GetPerfhostHookVersion@0”, but this does not matter as the code in Figure 4 would fail to resolve the API function but would continue executing without calling the API.
In addition to “_GetPerfhostHookVersion@0”, the “wwlib.dll” library also attempts to resolve several additional exported functions from the DLL loaded from the registry, specifically with names that contain the following:
_InitPerf _PerfCodeMarker _UnInitPerf
It appears that Word (and other Microsoft Office applications) use this registry key to load DLLs in order to conduct performance evaluations and other debugging tasks during development or testing phases of the applications. This would explain the reason why the “Software\Microsoft\Office test\Special\Perf” registry keys are not created during the installation of Microsoft Office.
We also discovered that the library will attempt to load a DLL from the following registry key in the HKEY_LOCAL_MACHINE hive, whose key name “RuntimePerfMeasurement” further suggests that “wwlib.dll” uses these registry keys for performance testing and debugging purposes:
To see which versions of Word were susceptible to this persistence mechanism, we checked “wwlib.dll” in the following Word versions: 2003, 2007, 2010, 2013, 2015 and 2016. We were able to confirm “wwlib.dll” from Office 2007, 2010, 2013, 2015 and 2016 would load a DLL from the “Office Test” registry key discussed in this blog. Office 2003 would not load a DLL from this registry key and it did not have a “wwlib.dll” file.
We also tested other Microsoft Office applications to see which would load a DLL from the “Office Test” registry key, which includes Word, Powerpoint, Excel, Outlook, OneNote and Publisher. It is interesting to note, that some applications in the Office suite do not need to call another DLL to load the malicious payload via the registry persistence mechanism (such as Word using wwlib.dll) and instead will load the malicious payload directly from the application. Figure 5 shows a graphical representation of applications loading the payload directly from the executable versus using a separate DLL file.
Figure 5 Office Test workflow
Simple Protection
During our research, we found that the “Office Test” persistence technique could be easily defeated by manually creating the registry key “HKCU\Software\Microsoft\Office test” and removing the current user’s account write permissions for this key. Microsoft Office does not require this registry key to operate and does not even create the registry key during installation; therefore, adding this key as read-only will have no effect on the usability of Microsoft Office applications. The steps taken to defeat the “Office Test” persistence mechanism will be outlined below and could also be easily scripted or pushed to systems via group policy.
Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. We cannot guarantee that problems resulting from the incorrect use of the registry can be solved. Use the information provided at your own risk.
First, we created the “HKCU\Software\Microsoft\Office test” via the “reg” command. Open a command prompt (cmd.exe) and input the following:
reg add “HKCU\Software\Microsoft\Office test”
Figure 6 The “reg” command used to create the “Office test” registry key
We then navigated to the newly created registry key using the “regedit” application. By right clicking on the key, we can access the permissions associated with the key, as seen in Figure 7.
Figure 7 Right clicking key allows access to permissions
The current user has “Full Control” permissions for this registry key, as seen in Figure 8. This permission allows an actor to write the path to the Trojan to the “Special\Perf” sub-key. The “Read” control in Figure 8 allows Microsoft Office to read the contents of this key and its sub-keys, which is how the actor leverages this technique to load a malicious DLL into Office applications. To defeat this persistence mechanism, we can remove the current user’s write permissions to this key by clicking the “Advanced” button.
Figure 8 Current user’s default permissions to the “Office test” registry key
The current user was granted “Full Control” permissions to this registry key because it inherited permissions from its parent object, which ultimately inherited its permissions from the HKEY_CURRENT_USER hive. To remove the user’s write permissions to this registry key, we first must remove the inherited permissions by unchecking the box seen in Figure 9.
Figure 9 Remove inherited permissions by unchecking this box
By unchecking the box in Figure 9, the dialog box in Figure 10 pops up, which provides options for “Remove” to remove all permissions from this key or “Add” to set specific permissions for the user.
Figure 10 Dialog box displayed after removing the registry key’s inherited permissions
Here we will click “Add”, select the current user, then press the “Edit” button to set specific permissions for this user. In the next dialog, click the “Clear All” button first to remove all existing permissions then select only “Read Control”, as seen in Figure 11.
Figure 11 Read-only permissions assigned to this key
With the “Read Control” permission, Microsoft Office products are still able to read from this registry key, but malicious documents will not be able to write to this key. We tested this simple registry modification against the delivery document used by Sofacy discussed in our previousblog and discovered that while the delivery document was still able to exploit our analysis system, the payload would not be able to run when the user opened Microsoft Office applications, thus creating a benign infection.
Autoruns Detecting Office Test
Unit 42 reached out to notify Microsoft of the Office Test persistence mechanism and its use by a threat group in targeted attacks. On July 4, 2016, Microsoft released a new version of Autoruns, specifically v13.52 that includes checks for the Office Test registry keys. We downloaded Autoruns v13.52 and tested both the GUI (Autoruns.exe) and CLI (autorunsc.exe) versions of the tool on a system compromised with the Sofacy tool that used this persistence technique. Figure 12 and Figure 13 below show the two Autoruns tools detecting the use of this registry key for persistence.
Figure 12 GUI version of Autoruns detecting Office Test persistence mechanism
Figure 13 Autorunsc detecting the Office Test persistence mechanism
Conclusion
The “Office Test” persistence mechanism allows threat actors to execute a Trojan each time a user runs any of the Office applications. This persistence mechanism loads a malicious DLL by leveraging a registry key that appears to be used during the development and testing of Microsoft Office applications. The use of this registry key for persistence is quite clever, as it requires user interaction to load and execute the malicious payload, which makes automated analysis in sandboxes challenging. Low awareness of this persistence method, coupled with the sandbox evasion obtained from user interactions, makes this a potentially attractive persistence method that we believe may be used in future attacks. Unit 42 suggests monitoring for systems that have this registry key already created, as it is possible a threat is already using the key for persistence purposes. Microsoft has added the “Office Test” registry keys to its Autoruns tool for detection purposes as well. Also, we suggest disabling this persistence method by creating the “Office test” registry key in read-only mode as outlined in this blog.
As cloud computing and unmanaged endpoints continue to gain traction, it is a foregone conclusion that information security technical controls must become more virtual – that is to say, software-based. Rapidly disappearing are the days of physical perimeters and hardwired network architectures.
One of Cloud Security Alliance’s most promising research projects, Software Defined Perimeter (SDP), looks to accelerate the implementation of virtual controls to make organizations more secure without losing the agility cloud and mobility offer. SDP is inspired by the military’s classified, “need to know” network access model. SDP provides the blueprint for an on-demand, point-of-use security perimeter with a tremendous number of interesting security use cases.
The linked slide deck is a presentation about SDP from Kirk House, who is an SDP Working Group leader as well as Global Director, Enterprise Architecture at The Coca Cola Company. Kirk’s presentation provides an enterprise view of how we need to rethink security with SDP. By starting with zero trust, the ability to achieve application segmentation, eliminate a wide variety of intermediate attack vectors and achieve greater overall security is compelling.
Software Defined Perimeter is coming to you soon, and I hope you will take the time to learn more about it.
Jim Reavis, Co-founder and CEO, Cloud Security Alliance
Gartner’s June 2016 article, “Use These Five Backup and Recovery Best Practices to Protect Against Ransomware,” outlines five steps for mitigating the threat and/or risk of being hit with ransomware. I will spare you the market stats and dollar figures intended to scare you into taking action now. If you have an affinity for ransomware horror stories, click here, here, here, or even here.
Or let’s spend time looking at Gartner’s best practices to determine if you believe we are a legit provider of ransomware protection. Heads-up: when it comes to ransomware, one-third of our customers recover from ransomware using our endpoint backup + restore software, so Code42 customers represent.
Gartner Step 1: Form a single crisis management team Typically, a crisis management team consists of only the customer’s employees, but Code42 does have a virtual seat at this table. Each and every day Code42 system engineers, IT staff, product managers, developers, professional services and customer support staff meet to discuss and address issues raised by our customers. This response team works together to solve customer problems so customers can effectively conduct internal risk assessments and respond to incidents that threaten the health of their endpoint data.
Gartner Step 2: Implement endpoint backup This IS our responsibility, and we are the best at it, so say our customers. Including one senior IT manager who said, “CrashPlan gives me immense confidence as an IT manager. Case in point: an executive was traveling to Switzerland for a big presentation and had his laptop stolen en route. He was able to go to an Apple store, purchase a new machine, install CrashPlan, sign in and restore his files in time for the presentation. And we won the business. I was able to talk him through this on a five-minute phone call. It does not get better than that.” (Click here to read the entire review.*) Or instead of reading through all the reviews and case studies, we can cut to the chase and simply answer the question: Why are we the best? Because we deliver what matters most to enterprise customers—from end users to admins to executives.
It just works. Code42 works continuously to back up your data no matter the device, no matter the network. In fact, 7/10 IT admins consider themselves more productive after deploying Code42, which translates to more time focused on projects that are more strategic and rewarding.
It scales bigger and faster than any other enterprise endpoint backup solution.
Service and support is “stellar,” according to our customers. But don’t take our word for that,take theirs.
Gartner Step 3: Identify network storage locations and servers vulnerable to ransomware encryption Yes, you need to protect your servers, but let’s get to the point: or rather, let’s start at the endpoint where 95% of ransomware attacks originate. Server backup wasn’t designed to restore data to endpoints.
Gartner Step 4: Develop appropriate RPOs and backup cadences for network storage and servers We choose to focus on the source of attack where we are the best at meeting recovery point objectives (RPO) and backup cadences. Our backup frequency is 15 minutes by default, configurable down to one minute; whereas our competitor’s default backup frequency is every four hours, configurable down to five minutes. The more frequent the backup cadence, the better the protection against data loss. Gartner’s “Five Backup and Recovery Best Practices to Protect Against Ransomware,” advises, “The primary goal is to leverage newer backup methodologies to achieve more frequent recovery points…The goal here is backing up more often.” This is not just a server and network-storage best practice, it’s an endpoint best practice too.
Gartner Step 5: Create reporting notifications for change volume anomalies Step five centers on endpoint backup reporting capabilities. Here Code42 is resoundingly on point. In the first half of 2016, in the 5 series release of Code42 CrashPlan, a reporting web app that makes it easy to assess when users are not backing up frequently enough—putting your RPO in jeopardy. In addition, the ability to securely index and search user data archives helps security and IT teams find and identify malicious files through MD5 hash, keyword or metadata searches. Combine indexing and searching capabilities with web reporting capabilities to identify anomalies at the individual, department or group-level.
*Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
Mark Wojtasiak, Director of Product Marketing, Code42
COBIT 5’s Seven Phases of the Implementation Life Cycle have been “posterized” into a free download that illustrates the framework’s program management, change enablement and continual improvement life cycle.
The poster is part of the COBIT 5 framework for the governance and management of enterprise IT, which is highly valued by commercial, not-for-profit and public-sector organizations. Enterprise executives, IT professionals and business consultants depend on its globally accepted principles, practices, analytical tools and models to drive business value from trusted information and technology. Among the more popular elements from COBIT® 5 are the diagrams illustrating important practical concepts.
The July COBIT 5 poster centers on the Seven Phases of the Implementation Life Cycle diagram. The seven phases include:
Phase 1—What Are the Drivers? Which identifies current change drivers and creates at executive management levels a desire to change that is then expressed in an outline of a business case. Phase 2—Where Are We Now? Which aligns IT-related objectives with enterprise strategies and risk, and prioritizes the most important enterprise goals, IT-related goals and processes. Phase 3—Where Do We Want To Be? Which sets a target for improvement followed by a gap analysis to identify potential solutions. Some solutions will be quick wins and others more challenging, long-term tasks. Phase 4—What Needs To Be Done? Which plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation. Phase 5—How Do We Get There? Which provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured. Phase 6—Did We Get There? Which focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits. Phase 7—How Do We Keep the Momentum Going? Which reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement. It also prioritizes further opportunities to improve GEIT.
COBIT® 5 – The Seven Phases of the Implementation Life Cycle View Full Size PDF
Previous COBIT 5 posters of the month include:
June 2016: COBIT 5—Summary of Process Capability Model
May 2016: COBIT 5—Process Reference Model
April 2016: COBIT 5—Governance and Management Key Areas
March 2016: COBIT 5—Enterprise Enablers
February 2016: Roles, Activities and Relationships
January 2016: Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles
