When cybercriminals are around, what you see at the outset is rarely what you get in the end.
In recent SolCyber articles, podcasts and webinars, you’ll have heard us mentioning many different sorts of cyberattack, and numerous different sorts of attacker.
For example, ransomware tends to dominate cybersecurity headlines, given the degree of human despair it causes when personal data is deliberately leaked as a blackmail strategy, and given the level of IT devastation it often leaves behind.
But many, perhaps even most, ransomware incidents don’t unfold as a single attack involving a single item of malicious software, or malware for short.
Make no mistake, ransomware attacks can happen that way: you could receive a single rogue program file by email, either as an attachment or a download link, unadvisedly run that file, and instantly watch your precious files getting scrambled.
Indeed, back in 2013, that’s pretty much exactly how the first wave of modern, file-scrambling ransomware attacks were carried out, by a malware strain dubbed CryptoLocker, which also became the name given to the gang who created it and sent it out.
These attackers, and the extortion-based cybergangs with names such as Locky and Teslacrypt that soon followed, ended up making millions of dollars, perhaps even hundreds of millions, by blackmailing thousands or tens of thousands of individuals simultaneously, in wave after wave of attacks, demanding about $300 to $1000 in bitcoins for each computer that had been scrambled.
If your company had 1000 laptops and 50 of them got locked up simultaneously, perhaps because of a spam campaign that tricked 50 users before you could circulate a warning telling everyone to watch out, you were stuck with paying 50 × $300.
Each computer needed its own, unique decryption key, because these early ransomware attackers weren’t specifically targeting businesses or networks.
In case you’re wondering how well this old-school sort of ‘hit-and-hope’ ransomware attack worked, often also known as a spray-and-pray, the University of Kent in England published a survey in early 2014 that told a dramatic story about how much those early one-at-a-time CryptoLocker crooks probably made.
Because the survey was conducted with some sort of academic rigour, and wasn’t “research” carried out by a vendor with sales and marketing in mind, the conclusions were widely accepted, and made scary reading: 1 in 30 households admitted to having been hit, and 40% of those said they’d paid up to get their computers ‘repaired’.
If we use 2013 statistics for the number of households in Britain, and the fraction of those with computers, we get a total of just over 26 million households × 83% with computers, for about 22 million possible ransomware victims.
If 1 in 30 got hit, that’s more than 700,000 ransomware incidents; and if 40% of those coughed up $300 each, that’s more than $80,000,000 in blackmail payments in Britain alone.
If you add the population of Western Europe and North America to that, the number of potential victims increases about ten-fold.
The University of Kent survey suggested that just over a quarter (about 28%) of those surveyed admitted to taking no security precautions (this was back in 2013, so that number could be very different today), including having no anti-virus or threat-blocking software at all.
But this means that a significant majority of those who did take precautions nevertheless ended up with the CryptoLocker malware implanted and activated on their computers.
So, if the CryptoLocker gang infected hundreds of thousands of computers in Britain alone, where more than two-thirds of households were protected in some way against malware attacks…
…how did their ransomware, which remained substantially similar in operation throughout its year-long lifetime, continue to evade detection?
How does any long-lived crimeware group, whether they’re pushing out ransomware, cryptominers, keyloggers, data stealers, or any other sort of malware, stay actively threatening for months or years?
Do they literally need to rewrite their malware from scratch after every attack, or are there other tricks they can use to make individual malware samples go further and last longer?
The answer is that they can use a range of different techniques, including:
As you can imagine, these tricks can be combined not only to make detecting new malware harder, because it’s changing all the time, but also to frustrate researchers trying to get hold of new samples.
A scam email could contain a unique download link that returns entirely innocent content when researchers visit, but when regular users click the link, malware is sent back instead.
Likewise, the malware you receive could be selected by the server based on your operating system, your country, the time of day, or many other factors that are known only to the criminals who set up the server, and can only be guessed at by researchers.
The delivered malware could be a tiny downloader that visits yet another unique link and fetches a dropper program in which another downloader is packaged as a compressed, scrambled blob of digital shredded cabbage…
…and so on until the final malware is installed, in a delivery chain that’s as long and as devious as the criminals wish to make it.
The trouble with downloaders is that they are easy to create, tiny to deliver, and trivial to modify.
Even (perhaps especially) if you detect a new downloader before it calls home and wreaks more havoc, and even if you manage to isolate it and remove it from all the affected computers on your network automatically, you can’t simply pat yourself on the back and move on, because there are numerous related questions you need to consider, too, including:
To give you an idea of just how compact a downloader can be, here’s a simple example.
(We’re not giving away any dangerous tricks here that aren’t already widely available in source code repositories across the internet.)
Don’t worry if you’re not a C programmer; just note the brevity of the code, and how it makes use of existing, easy-to-use Windows programming functions with self-descriptive names such as URLDownloadToFileA().
The system()
command, which you also see below, is a one-liner that tells Windows to run the specified filename, which could be a batch file, a program, a PowerShell script, or numerous other types of executable object:
Note how Windows takes care of the download details for you, including automatically using end-to-end HTTPS encryption (denoted by the URL prefix https://
), setting up the network connection, dealing with the HTTP protocol interchange with the other end, receiving the data sent back by the server, and saving it into a filename of your choice.
All in one line of code (line 5).
If you want to try this out for yourself, you can download a tiny, free, fully-functional Windows C compiler from my Github site.
Save the program as dl.c
and compile it like this to produce a downloader executable called dl.exe
that’s just 1536 bytes in size:
Admittedly, opening this tiny file in a hex editor and looking at the text strings inside it makes its function rather obvious, without needing any expertise in decompiling or disassembling executable code:
The Windows functions used by the program are listed in the .EXE
file, so Windows knows in advance which system code it needs to get ready, so you can see at a glance that the program uses URLDownloadToFileA()
from urlmon.dll
, as well as the handy system()
function from the Microsoft Visual C runtime, msvcrt.dll
.
But some tiny changes can make both the URL and the executable filename harder to spot automatically.
This time, we’ve trivially scrambled the ASCII text of the URL and filename simply by adding 1 to the ASCII code of each character (as you can see, the letters https
are now less obviously stored as iuuqt
, and the giveaway string ://
is now the more innocent-looking ;00
:
We can also get rid of the mention of urlmon.dll
and the function URLDownloadToFileA
from what’s known as the function import table by loading them manually at runtime with the widely-used Windows functions LoadLibrary()
and GetProcAddress()
, which means that the downloader function doesn’t appear in memory until after the downloader program itself has loaded:
The suspicious DLL name and function name of interest no longer appear in the function import table at the bottom of the hexdump, replaced by the rather more innocent functions LoadLibraryA()
and GetProcAddress()
, which are very widely used by legitimate programs.
However, our own stored-in-the-code strings still give the game away:
Of course, we can use our add-1-to-the-ASCII-code trick once more, and re-obfuscate all our strings, like this:
The giveaway text strings signalling that we’re using URLDownloadToFileA()
are no longer visible in the hexdump:
Here, we’ve been messing around with our own code to create a disguised downloader, using common techniques that most programmers would already know: there’s nothing advanced or hard-to-learn about the examples shown above
Additionally, all popular web servers make it easy to generate what are known as dynamic web pages, so that visiting the same URL over and over again creates and sends back a different page each time.
This makes it surprisingly easy for attackers not merely to produce permuted or shuffled-around new malware for every download, but also to repackage that permuted malware inside a permuted downloader or dropper ‘utility’ that is generated and compiled uniquely for each visit.
It’s also easy for attackers to redirect multiple different web domains to a single server, and to arrange for thousands or millions of different URLs to resolve to the same dynamic web page generation script.
All these different-looking URLs might therefore ultimately be handled by just a single server:
http://one.example/free-offer.html https://one.example/free-offer.html https://one.example/unsubscribe https://two.example/unsubscribe http://look-alike.test/free-offer.html http://l00k-al1ke.test/free-offer.html
At the same time, all of these different URLs, even if visited multiple times, could end up sending out a different, unique malware sample each time.
And, of course, the malware samples could be multiple, obfuscated samples of the same single family, or multiple samples of multiple very different malware families, perhaps even sent out by cybergang A on behalf of pay-to-play cybergangs X, Y and Z.
Simply put, as we said at the top of the article, what you see at the start of an attack is rarely what you end up with.
Even worse, downloaders and droppers don’t have to be as simple as the ones we’ve shown here.
Criminals can take existing software utilities or installers – programs you already expect to ‘call home’ to download and install further software – and modify them very slightly so that they act as malware decoys.
Decoys of this sort generally do everything that their legitimate originals do, including fetching and activating software you really do want to install, as well as quietly installing malware in the minimalistic, uncomplicated fashion of a standalone downloader or dropper.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!