Brad Duncan is a Security Researcher at Rackspace, where he investigates suspicious network activity. Occasionally, he receives tippers on compromised websites that can infect vulnerable computers. Rackspace researchers investigate these tippers to gather malware samples, identify threat actors, and determine other indicators of malicious activity. This blog entry discusses one such investigation.
As early as January of this year, we started seeing reports of a new ransomware named “Threat Finder” . At least one source speculates Threat Finder is a copy of Cryptolocker , but we haven’t found anything definitive on the origin of this ransomware.
We ran across Threat Finder on Tuesday, April 7th, 2015 when infecting a Windows host. The host was infected when casual web browsing led to the Angler exploit kit. After the infection, the host’s personal files were encrypted, and instructions for Threat Finder v2.4 appeared on the desktop screen.
Chain of events
- Step 1: The user viewed a compromised website that generated behind the scenes traffic for Angler exploit kit.
- Step 2: The vulnerable Windows host was infected by the Angler exploit kit.
- Step 3: The exploit kit sent Bedep malware, commonly seen from Angler .
- Step 4: Bedep downloaded more malware, including Threat Finder.
- Step 5: Threat Finder encrypted the user’s personal files and displayed instructions to recover the data.
Shown above: Threat Finder v2.4 instructions for decrypting your personal files.
Shown above: The same decryption instructions from a web browser.
About the time Threat Finder displayed the decrypt instructions, we saw click fraud traffic from the infected host. Click fraud traffic generates ad revenue through numerous requests for web traffic from the infected host.
Shown above: HTTP traffic for Angler exploit kit, Bedep post-infection, and click fraud traffic.
The infected host had at least one registry entry for a file named reg.dll as shown below:
This is the Threat Finder ransomware. A sample can be found at: https://malwr.com/analysis/MjY3ZjEwZDc1MTIyNDdjOGIzYzMwZTg3Y2VlMDA5NmM/
When run through malwr.com’s analysis, reg.dll generated traffic to 18.104.22.168, sending approximately 217 KB of data to the infected host. The analysis shows dropped files that are images for Threat Finder’s decrypt instructions.
Shown above: One of the dropped image file from reg.dll
The bitcoin address for the malware’s ransom payment is: 1NadLTgZHFGJmqUuQ58dGsB7ADCbe5N6z1
Check this bitcoin address at blockchain.info, and you’ll find at least 11 transactions with over 7.5 bitcoins received.
Shown above: Transactions at the bitcoin address for the ransom payment
What should you do if your computer becomes infected with Threat Finder? Your personal files may be lost if you don’t have a backup. Even if you pay the ransom, you have no guarantee the malware authors will provide the decryption key.
As always, your best defense is regularly backing up your data. If not, you could find yourself at the mercy of this or other ransomware.