RSAFirstWatch has been tracking a new variant of CryptoLocker, a malware family that will lock a local system until a ransom is paid to the malware author. This variant has a very specific beaconing pattern, and the detection rule for it is included below.
Once infected, a local system will display the following on the screen:
The local system calls a specific HTML or PHP page at a command and control server, which returns a binary encoded string. A session capture is below.
We have been tracking this malware for a while, and most of the hostnames this malware communicates with have already been added to the FirstWatch C2 Domains feed. There are some new domains that will be added to this feed today as well. The new domains are:
dzwej.ru, gcobb.ru, wrso.su, vepfx.ru
For those that do not subscribe to the FirstWatch feeds, you may be able to create a local feed to detect the following domains:
eywh.su, vepfx.ru, ighr.ru, dzwej.ru, bkdt.ru, bkvs.su, vqcny.su, vfoux.ru, rnye.su, xqcml.su, gcobb.ru, xshyq.ru, oxur.ru, gcxn.ru, efmg.su, reupy.su, hovmp.ru, tqzr.su, bfdfa.ru, yzaed.net, serc.su, mftaw.net, irvrh.su, nfymz.biz, hnvy.ru, efgb.su, ywsld.ru, xrwu.su, wviq.su, wrso.su, vymmf.ru, vdsvs.su, scey.su, qyds.ru, mvkbc.su, kagpk.ru, jvxiw.com, jcxb.su, idojv.net, htfq.ru, gybdr.biz, gcsqz.ru, fpgvu.com, erqkn.su, cmfdd.com, cffe.ru, bkvz.su
To detect the beaconing pattern, create a new rule on your decoders. Alert it to your alert field.
Call the rule CryptoLocker Beaconing. The rule content is:
service=80 && extension=html,php && attachment exists && filename length 40-u
Attached is a PCAP you can use to test your rule.
Good luck and Happy Hunting!
