The Rise of Backdoor-FCKQ (CTB-Locker)

By and on

By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek)

In the McAfee Labs Threats Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust.” Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015.  There was, however, one notable exception: ransomware.

ransomeware

The preceding figure provided a respite against the threat of ransomware, but as foreseen in the McAfee Labs Threats Predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) now distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc. 

Details

“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files on the target system.

It copies itself to the following folder:

  • %temp%< 7 random characters>.exe
  • %temp%\wkqifwe.exe

It also creates a job task containing seven random characters:

  • %windir%\Tasks\cderkbm.job

The following registry keys are added to the system:

  • %ALLUSERSPROFILE%\Application Data\Microsoft\<7 random characters>

It injects code into svchost.exe, and svchost.exe will launch files from the following:

  • %temp%\<7 random characters>.exe

The code injected into svchost.exe will encrypt files with the following extensions:

  • .pdf
  • .xls
  • .ppt
  • .txt
  • .py
  • .wb2
  • .jpg
  • .odb
  • .dbf
  • .md
  • .js
  • .pl

Once a system is infected, the malware displays the following image:

CTBLocker

The newly created process creates a mutex named:

  • \BaseNamedObjects\lyhrsugiwwnvnn

An interesting angle in this new round of Backdoor-FCKQ malware is the use of the well-known downloader Dalexis. There are several versions of this downloader. A simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent antispam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.

The function of the downloader is to download additional malware from certain locations, unpack the Xor-coded malware, and execute it. In this case the additional malware, the CTB, was packed in the file pack.tar.gz:

code 1Figure 1: pack.tar.gz.

As we can see from the preceding screenshot, there’s no file header present that represents a known file type. For example, if this were an executable file, the first two characters (aka the magic number) would have been “MZ.” This is one of the ways in which malware authors try to circumvent gateway detection of malware. Some other tricks we have seen frequently recently is to put the payload of the malware on Pastebin or Github.

In this case, pack.tar.gz used different XOR keys to encrypt parts of the file. Once this puzzle was cracked, the unpacked code of Backdoor-FCKQ is revealed:

code 2Figure 2: Unpacked code of Backdoor-FCKQ.

With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, we immediately recognized code parts.

As a quick Yara detection rule, the following can be used:

code 3

Bitcoin trail

While tracing the Bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.

Removal

All users: Use current engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files to hook system start-up will be successfully removed if cleaning with the recommended engine and DAT combination (or later versions).

A special thanks to Sanchit Karve for his assistance in the analysis.

Categories: McAfee Labs
Tags: , , , ,

9 comments on “The Rise of Backdoor-FCKQ (CTB-Locker)

  • Hi everyone,

    We advise keeping your system up to date as the latest updates will protect against this form of ransomware. At present there is no decryption capability however we are working closely with law enforcement agencies and industry partners to explore ways in which decryption is possible for this growing threat. For further support, please visit us at http://service.mcafee.com/.

    – McAfee. Part of Intel Security.

    Reply
  • Elton, there is no hope for you. The encryption is what the virus does. Removal of the virus is the only thing you can do. The files will remain encrypted for good and you will not be able to crack the encryption as it is very powerful encryption. In a slightly more perfect world, one would be able to pay the ransom and have them restore your files, but that isn't guaranteed whatsoever.

    Reply
  • Please suggest a way out of the encrypted files by this ransomware. We're unable to make payments or decrypt important files from our systems. There is no backup of these files. Is there a way to get McAfee support us in resolving this mess?

    Reply
  • Elton
    I'm sorry that i have to inform you, but there&amp;apos;s no method to decrypt the files. The only thing you can do to save the files on which one the virus was failed and do a format C. I have seen an infection where outlook.pst was clean, maybe it&amp;apos;s user was lucky when she was closing the Outlook after the virus had finished the job. I&amp;apos;ve tried a sample on a virtual machine and found that files with renamed extensions were also in safe and when the encryption has finished the PC was safe to work with files so encryption was not running further. So again, you are unable to decrypt your files without the key which was sent to the cyber criminals.

    Reply
  • sbai Amine says:

    we have the same problem, we can't decrypt any file crypted by the virus
    is there any tools to solve this problem
    we are MCaffe Client we have MCaffe Virus Scan + AntiSpyware 8.8
    more the then PC are infected
    Please help us!!!!!

    Reply
  • I have the same problem. I have an updated version of Mcafee but it did not succeeded in protecting my pc. Are you planning to suggest something for the de-encryption?Thanks

    Reply
  • hi there

    please assist we are trying to restore all encrypted files from a virus attack from CTB-locker.
    we have removed the virus however ALL files have been encrypted eg. XLS.KLXFUXE
    is there a method or program you can suggest we use to decrypt these files as we have no backups and cant restore previous versions of any file.
    the antivirus that was on the computer before the attack was Mcafee Internet Security 2015.
    thanks

    Reply

Leave a Comment

Similar articles

Fact – your social media posts may affect your career, or worse case, your identity! New research from the world’s largest dedicated cybersecurity firm, McAfee, has revealed that two thirds (67%) of Aussies are embarrassed by the content that appears on their social media profiles. Yikes! And just to make the picture even more complicated, ...
Read Blog