Skip to content
March 12, 2015 / Vadim Kotov

Achievement Locked: New Crypto-Ransomware Pwns Video Gamers

Gamers may be used to paying to unlock downloadable content in their favorite games, but a new crypto-ransomware variant aims to make gamers pay to unlock what they already own. Data files for more than 20 games can be affected by the threat, increasing what is already a large target for cybercriminals. Another file type that hasn’t been targeted before is iTunes related. But first, let’s have a look at the initial infection.

This crypto-ransomware variant has been getting distributed from a compromised web site that was redirecting the visitors to the Angler exploit kit by using a Flash clip. Bromium Labs notified the owner of the web site, but they haven’t responded. At the time of writing this blog, the website was still serving malware. The web site is based on WordPress and could have been compromised by any one of the numerous WP exploits. Additionally, the URL where the malicious Flash file is hosted keeps changing.

Attackers used an unconventional way of redirecting the users. Instead of a typical iframe (or an iframe dynamically generated by JavaScript) they used a Flash clip wrapped in an invisible <div> tag. Perhaps attackers believed this would help them to evade detection longer?

achievement_locked_001

The Flash banner operates by making calls to JavaScript via ExternalInterface class. It only lets MSIE (including 11) and Opera through. It creates an iframe using JavaScript:

achievement_locked_002_js

This leads to yet another redirect and finally to the Angler Exploit Kit.

Our analysis determined this instance of Angler checks for the presence of several virtual machine artifacts, Fiddler and some of the anti-virus products using Microsoft.XMLDOM and the res:// protocol.

achievement_locked_002

achievement_locked_003

If all the checks are passed it drops a recent Flash exploit (CVE-2015-0311) and an older, but still working, IE exploit- CVE-2013-2551.

Let’s discuss a dropped malware now. According to Bleeping Computer it is called TeslaCrypt and was first discovered by by Fabian Wosar of Emsisoft. We add some additional details that weren’t covered in the Bleeping Computer article.

The malware dropped claims to be the new CryptoLocker.

achievement_locked_004

achievement_locked_005

The similarity between the original CryptoLocker and this instance is negligible (~8% according to BinDiff). So it would seem the attackers are just re-using the brand.

The payment procedure is operated through a website located in the TOR domain.

This variant targets 185 file extensions, which is less than TorrentLocker, but notably, it targets more file types associated with video games than we have ever seen:

achievement_locked_006

We haven’t seen gamers being targeted by ransomware until now. Here’s the list of affected games and game related software:

  1. Single User Games
    • Call of Duty
    • Star Craft 2
    • Diablo
    • Fallout 3
    • Minecraft
    • Half-Life 2
    • Dragon Age: Origins
    • The Elder Scrolls and specifically Skyrim related files
    • Star Wars: The Knights Of The Old Republic
    • WarCraft 3
    • F.E.A.R
    • Saint Rows 2
    • Metro 2033
    • Assassin’s Creed
    • S.T.A.L.K.E.R.
    • Resident Evil 4
    • Bioshock 2
  2. Online Games
    • World of Warcraft
    • Day Z
    • League of Legends
    • World of Tanks
    • Metin2
  3. Company Specific Files
    • Various EA Sports games
    • Various Valve games
    • Various Bethesda games
  4. Gaming Software
    • Steam
  5. Game Development Software
    • RPG Maker
    • Unity3D
    • Unreal Engine

Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music. Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.

Files are targeted by extension. Concretely these are user profile data, saved games, maps, mods etc. Often it’s not possible to restore this kind of data even after re-installing a game via Steam.

Interestingly, although these are all popular games, none of them match any particular “Top Sellers” or “Most Played” chart and could just be games the developer loves to play.

It seems that OpenSSL was used to implement some of the cryptographic routines in the malicious executable file. We found references to the big number and elliptic curve modules as well as EVP:

achievement_locked_007

Separately, we found secp256k1 elliptic curve field data, base58, SHA-256 and RIPED-160 related constants, which is typical for the BitCoin related software that might be used to generate BitCoin addresses. Each instance of the ransomware has its own BTC address.

Program workflow:

  1. Relocate itself to %appdata%
  2. Delete Zone.Identifier NTFS stream
  3. Set the registry autostart as svcav_module
  4. Try to remove the shadow files vssadmin.exe delete shadows /all
  5. Start the thread reporting back to server
  6. Create the thread terminating the following process (the thread will run infinitely and terminate also the newly created processes):
    • taskmgr
    • procexp
    • regedit
    • msconfig
    • cmd.exe
  7. Create the encryption thread.
  8. Create the UI Window and infinitely check for the window messages.

Let’s discuss some of the functionality above in more detail.

The C&C communication is done via HTTP. Malware first checks the victim IP address by requesting ipinfo.io/ip, then connects to its server in the TOR network through one of the TOR proxies. Picture below shows the logs from our fake DNS server:

achievement_locked_008

After that it first sends a “ping” request to the server:

/state1.php?Subject=Ping&key=7AECD42E75E6349C9EF02BBEFCFF63C20A6E8A0930DCCDA93138979EB772796C&addr=194YpJ765RmXi13ggquay2TRs9m3WQmnS3&files=0&size=0&version=0.3.0&date=1426116410&OS=2600&ID=21&subid=0&gate=G0&is_admin=1&is_64=0&ip=172.16.10.10

The whole string of GET parameters was actually encoded with base64 we only show the decoded version.

Second request reports that files were encrypted:

/state1.php?Subject=Crypted&key=7AECD42E75E6349C9EF02BBEFCFF63C20A6E8A0930DCCDA93138979EB772796C&addr=194YpJ765RmXi13ggquay2TRs9m3WQmnS3&files=3675&size=115&version=0.3.0&date=1426116430&OS=2600&ID=21&subid=0&gate=G0&is_admin=1&is_64=0&ip=172.16.10.10

Let’s now look at the encryption mechanism. First it enumerates all the logical drives visible to the system. Then it traverses through the folder tree of each drive and encrypts files matching one of the 185 extensions. AES cipher is used for file encryption and our experiments show the key is randomly generated for each file (same files result into different ciphertext). Encrypted files are renamed to <filename>.ecc. It should be noted that encryption related code was statically linked and doesn’t seem to match OpenSSL, perhaps some compiler optimizations or other open source library was used. OpenSSL related strings could come with the parts of BitCoin code we found in the binary.

A list of encrypted files is written into the %apddata%/log.html. This locker also creates a file called key.dat. The structure of this file is not fully known:

achievement_locked_009

First 16 bytes are the BTC address. At offset, 177 is the ‘key’ parameter sent to server. What kind of key is this is unknown.

Although the preliminary analysis reveals a lot about the inner workings of this threat, some questions are yet to be answered:

  • Does it really use RSA-2048, because we couldn’t find any RSA related code yet? If so, how the key pair is generated?
  • What’s inside key.dat? Could it be used to decrypt user data?

Finally, we’d like to remind you keep your files backed on an external hard drive and keep this hard drive unplugged when you go online. Be also careful with your DropBox (or other cloud services). If you have folders synchronized with an online storage – malware will get to them too.

In conclusion, this new specimen falls neatly in the ransomware evolution chain we presented in our crypto-ransomware report. As more file categories are infected, a broader audience is affected. The attackers are also getting better at incorporating BitCoin code directly into their projects. Which isn’t a good sign.

On the positive side though – encrypting video game files could actually make us play less and work more. Then, perhaps, we will develop protection against crypto-ransomware much faster. Oh, wait a minute… we already have one! It’s called vSentry – it isolates the threats. Just saying.

UPDATE 3/12/2015 2:00 PM

Threatpost referenced this article and in the comment someone shared an earlier report of the same malware. It was published on the BleepingComputer forum on February 27  and called New TeslaCrypt Ransomware sets its scope on video gamers. They mention that software is called TeslaCrypt.

%d bloggers like this: