Obama-Themed Ransomware Also Mines for MoneroMore Proof Cryptojacking Is Thriving: Crypto-Locking Malware Doubles as Miner
After dabbling in themes ranging from Pokemon, horror movies and British prime ministers to cats, princesses and Donald Trump, crypto-locking malware creators have now debuted "Barack Obama" ransomware. In a sign of the times, the ransomware doubles as a monero cryptocurrency miner.
The anti-malware researchers known as Malware Hunter Team discovered the malware, which bills itself as being "Barack Obama's Everlasting Blue Blackmail Virus." The code was first compiled in May, but not uploaded to virus-scanning service VirusTotal until last month. The malware includes a number of Chinese language elements, although that is no smoking gun as to who may have developed it or where they're based.
'This Is a Big Thing'
Unusually, the Windows-targeting ransomware appears to be designed to only encrypt executable - .exe - files. "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it. So you can decrypt it, but you have to tip it. This is a big thing."
Obama isn't the first world leader to have been feted with their own ransomware "skin."
In 2016, Bleeping Computer reported finding ransomware with a then-presidential-candidate Donald Trump theme. But the version of the malware it uncovered turned out to not encrypt anything and to still be in development. It's not clear if a working version ever debuted.
Cryptojacking Continues to Increase
The appearance of Obama-themed ransomware is a reminder that crypto-locking code may not be as hot as it used to be, but it's still prevalent. Arguably, 2017 was the year of ransomware innovation. But 2018 has been the year of cryptocurrency mining malware and "cryptojacking" attacks (see Cryptojacking Displaces Ransomware as Top Malware Threat).
Security researchers this year have continued to chart the rapid rise of malware that's designed to use infected systems' CPUs to mine for cryptocurrency. Mining means solving complex computational challenges that verify cryptocurrency system transactions, which adds them to the cryptocurrency's blockchain. In return, miners may receive cryptocurrency back as a reward.
Earlier this year, security firm Vectra reported that from August 2017 through January 2018, "as the value of cryptocurrencies like bitcoin, ethereum and monero increased, there was a corresponding uptick in the number of computers on university campuses performing mining or cryptojacked by miners to process cryptocurrency hashes." It wasn't clear how much of that mining activity was malicious.
But as the value of cryptocurrencies has increased, security firms have charted a rise in cryptocurrency-mining malware attacks. Such malware allows attackers to monetize their infections without having to interact with victims or spell out for many how they might go about acquiring the particular flavor of cryptocurrency that their ransomware attacker requires they use to remit their ransom (see Ransomware Gangs Take 'Customer Service' Approach).
Cryptojacking Targets Servers
Attackers have also begun to look beyond PCs. "Crypto miners are not only installed on workstations, servers are juicy targets too ... because that's where the real CPU power is available," says security researcher Xavier Mertens in a blog post on the SANS Institute's Internet Storm Center site.
"The recent Apache Struts remote code execution vulnerability ... is heavily used to drop crypto miners on vulnerable systems," he adds, referring to Apache's open source Java web application framework (see Apache Issues Emergency Struts Patch to Fix Critical Flaw).
Tracking the 'Rocke' Campaign
Since April, Cisco's Talos security group says it's been tracing a large-scale cryptocurrency mining campaign that targets Struts 2 and which is run by a Chinese-speaking hacker it calls "Rocke"
In July, Talos spotted attacks, tied to Rocke, that appeared to be probing for vulnerable Oracle WebLogic servers.
"Although we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform," Liebenberg says.
If Rocke successfully exploits a known vulnerability to gain remote access to a server, Talos says the attacker often runs a shell script called A7 "that kills a variety of processes related to other cryptomining malware - including those with names matching popular mining malware such as 'cranberry,' 'yam,' or 'kworker' - as well as mining in general, such as 'minerd' and 'cryptonight,'" Liebenberg says. "It detects and uninstalls various Chinese AV," and also downloads a file that uses a script that attempts to connect to more IP addresses, via Secure Socket Shell, and then to download A7 onto those systems and execute it.
New Ransomware Keeps Appearing
Despite the rise in crypotjacking attacks, ransomware nevertheless remains a tool in many cybercriminals' illicit money-making arsenal.
Malware researcher Michael Gillespie, aka @demonslay335, who works with MHT, also runs the free ID Ransomware site, which allows ransomware victims to upload an encrypted file to help ascertain the strain of ransomware that encrypted their system.
ID Ransomware now counts 631 different strains of ransomware - from Blue Blackmail, CryptGh0st and Dharma to ExecutionerPlus, Ryuk and Thanatos - up from 603 just two months ago.
Still, Gillespie says his list isn't meant to be exhaustive. For example, he doesn't count every new piece of ransomware based on Hidden Tear - open source code released by a researcher who claimed to want to see how ransomware worked - unless it includes major new functionality.
Attacker Ethos: Why Choose?
In some cases, however, attackers have opted to obtain ill-gotten gains in more than one way.
"The Obama ransomware sample seems to have monero coin miner code in it - so you were after all already paying," Christiaan Beek, lead scientist at security firm McAfee, tells Information Security Media Group.
That type of strategy, however, also isn't new. "We have seen crypto-mining components included within the ransomware kit that has been dropped on to the compromised servers," incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements, tells ISMG (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
"In one of our recent engagements, we saw multiple ransomware kits being deployed, with different levels of complexity and capabilities," he says. "So for example, one using a 'build your own' level of ransomware kit that [allows you to] decide on the amount of BTC [bitcoins] and the extension for the encrypted files. While a more complex kit with mimikatz [a Windows password extraction tool] and crypto-mining capabilities was also found."
Stubley says the presence of different exploit or crimeware toolsets and kits on the same endpoint may indicate that different attack groups had access to the same system. In many cases, he says, an initial set of advanced attackers may obtain remote access to a system, and spend weeks stealing any interesting data. When they're done, they may install ransomware as a coup de grâce, or else sell access to the compromised systems to other, less sophisticated attackers, who install cryptojacking software or ransomware on the endpoints.
"While knowing what the individual motivation is will always by difficult, it would appear that the more sophisticated attackers are using the most appropriate components. So if mining will return profit then they will utilize that," Stubley says. "If not, then they default to ransoms."