Discovered a trojan horse which pretends to be a security scanner by Microsoft

0
105

Currently, there are more than 800 million Windows 10 users across the globe while vast numbers of users are still using Windows 7.

These stats may not come as surprise but they do make Windows users a lucrative target for cybercriminals.

On October 3rd, 2019, a trojan horse was discovered which pretends to be a security scanner by Microsoft but in reality, it is everything evil but so.

A cybersecurity researcher named Xavier Mertens first posted a screenshot of the email he received from the scammers prompting him to download the malware:

Phishing email (Screenshot: Xavier Mertens)

If you click on the download button, a file called WSS.zip will be downloaded that contains a file called “Windows Security Scanner.exe” and a hidden Resources folder with a few other executables.

WSS.zip Folder
WSS.zip Folder

When the Windows Security Scanner program is executed, it will show a fake progress bar that pretends it’s installing the software.

Fake Windows Security Scanner
Fake Windows Security Scanner

A few minutes later, it will show what appears to be a ransom screen from the Lost Files Ransomware. This screen tells you that you need to send $500 USD in bitcoins to the 13nRGetwvc7UZF8P5KM9bWqHGK6tMk7wyf bitcoin address in order to decrypt your files.

*-*-*-*

To start with, it can clearly be seen that the sender’s email address has not been spoofed to breathe in an air of authenticity.

This blunder alone should be sufficient for most to realize that it is not a legitimate email but for the sake of exploration, we’ll continue.

Upon downloading, we are presented with a WSS.zip archive file which contains the executable file of the fake scanner. Once one runs it, they are presented with a ransomware warning a few moments later unfolding the entire scheme:

It’s not surprising that Bitcoin is their preferred currency but given some astonishing revelations surrounding its anonymity, Monero or Zcash certainly might have been a better choice.

Upon inspecting the SHA256 of the archive with an online tool like VirusTotal, we are presented with the different categories and names under which it has been detected by various anti-virus software.

Regardless, after the tools has done its job, users would now find every file encrypted with the following types under the Users folder in C Drive bearing the”.Lost_Files_Encrypt” extension:

“.xxx .sdf .txt .doc .docx .xls .pdf .zip .rar .css .xlsx .ppt .pptx .odt .jpg .bmp .png .csv .sql .mdb .php.asp .aspx .html .xml .psd .bat .mp3 .mp4 .wav .wma.avi .mkv .mpeg .wmv .mov .jpeg .ogg.TXT .DOC .DOCX .XLS .PDF .ZIP .RAR .CSS .XLSX .PPT .PPTX .ODT .JPG .BMP.CSV .SQL .MDB .PHP .ASP .ASPX .HTML .XML .PSD .BAT .MP3 .MP4 .WAV .WMA .AVI .MKV .MPEG .WMV .MOV .OGG and .JPEG.”

Microsoft Pretender Scanner

Image credit: Bleeping Computer

These files, though, are not encrypted, but rather have the first line removed and binary data corrupted. For example, you can see a corrupted image file below.

Corrupted Image File
Corrupted Image File

Data corruption caused by reading files in as text

According to Michael Gillespie, the binary files are being corrupted because the program is using the File.ReadAllLines method to read the contents of a file into an array.  As this function is meant to be used on text files, much of the read binary data is being corrupted.

When “encrypting” files, Lost Files will read the file into an array as shown below.

array = File.ReadAllLines(Directory_Path);

It then nulls out the first line with:

array[0] = null;

Finally, it write the data back to a new file with the .Lost_Files_Encrypt extension. It then deletes the original file.

File.WriteAllLines(arg_58_0, array);

As the File.ReadAllLines is meant to only work with text files, binary files such as images, docs, spreadsheets, etc will be corrupted when it writes the data back as text.

It is not known if the attacker is purposely trying to corrupt data, but based on some of the strings stuffed into the program, it could be intentional.

Takes jabs at cyber security

Stuffed into the malware executable is some pretty strange messages that makes me believe the attacker purposely made this into a wiper.

First we had some comments directed at security researchers and info sec such as:

CyberSecurityIsAB**ch

F**k Cyber Security

These pieces of sh** needs to get something better to do!

poverty is what caused the creation cyber security

I'm From Eastern Europe You Will Never Catch Me Because I'm Too Good I'm Starving I'm Begging The Gods For This Ransomware To Work I Want To Get Out Of Poverty You Can't Be Happy And Poor It's Not HowItworks

In addition there were some other strange messages about Donald Trump, Kim Kardshian, 

Kim Kardashian The *** Dumpster
Donald Trumps Hair Line.
Life Is Das Besta.

Finally, while not targeting cyber security, the executable contains a PDB that shows the file code was located in a “Junk_Code_Lost_Files” folder.

C:\Users\lenovo\source\repos\Junk_Code_Lost_Files\Lost_Files\Lost_Files\obj\Release\Lost_Files.pdb

Overall, with the “Lost Files” name, the PDB folder path, and the strange string it feels like a joke or someone intentionally trying to cause chaos.

*-*-*-*-*-

To conclude,  this ransomware is no different from others.

In fact, it is much easier to spot at first sight from the other ones out there but users getting compromised despite that says a lot about the lack of awareness surrounding cybersecurity. This is best summed up from a quote by Elliot from the famed Mr.Robot,

“I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.”

Perhaps, someone can also install an anti-malware software next time.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.