Inside the brain of a Black Hat hacker: the making of ransomware distribution

If you think that you will find here how to create a ransomware it is better to search another source than us.

For the users protection we didn’t show even the whole source of the Office Macro. Moreover after we decrypted the password of the macro (in order to view it) we unprotected the macro in order to not know the numbers of the characters of the original virus macro.

Now let’s start to view first the 4 minutes video made by us. Please DO NOT TRY ON YOUR PERSONAL computer to ‘play’ with viruses because it exist a very big possibility to get your computer harmed by the virus.

First of all we received an email about a ‘Past due invoice’ with two files attached: one HTML empty file and a .RTF (Rich Text Format) Microsoft Office file.The name of the .rtf file it is looking very similar with an invoice file as the number it is big and we could think that it could be what they say.

But when we open the file it is a blank one and we have a security warning about Macros. In this moment every of  us should understand that there it is a catch: a virus it is under this Macro.

A very short check it is to verify the properties of the document. At author we see only some characters, if the document come from a company we should see a name. Next we go to check the contents. We see at title something in Russian ‘название’ (nazvanie) Well the shortest way to find what this means it is to ask a Russian speaking friend or better we could use Google Translate. Well название means Title… So as you guess the hacker just left the default name for title. Until now we know that the hacker it is a Russian speaking one. For sure he will not make this to gain some money for a Vodka bottle, will ask at the end more money.

At the first part we didn’t enabled the Macro, we go to View Macros to see the source code, so we click Edit. At this step you will be prompted for a password. As we wrote, for the user protection we unprotected this to not be able to see the numbers of the password characters.

Once we open the Macro we could see that the project it is divided in three parts: Microsoft Word Objects, Forms and Modules.

At modules we recognize  Sub and Dim statements. The Sub statement declare the parameters, names, and code that define the sub procedure. The Dim statement declare and allocate the space for variables.  There it is a lot of characters and to be more difficult we see the the hacker used LTrim and RTrim  in order to take out the spaces from the start or the end of a line.

The most important think it is ‘Forms’. It is divided in four.  Here we find the link where the next part of the virus resides: it is a PHP file from an US website where the hacker gained already the access. Why PHP? Because it is very simple to use and the guy need to make everything in background. Plus it is very fast and also it could work with SQL databases. The website from our example it is already down (the first attack received from this version of LOCKY ransomware was on 13th of April and after a few days this websites are closed by owners)

To make everything more complicated, the ransomware programmer choose to encode everything, so it is a little more difficult to extract data from all.

When we start the Macro, we will see wscript.exe running the script. At the temporary folder we find the script dfvvx.VBe, which it is normal when we open a Visual Basic script (macros in MS Office)

But we got an error. This it is because the script doesn’t have anymore access to that php file where from to take the other part of the virus which come as a dll file, so everything stops here. We are lucky and not locky this time. Our files remain as they are and we could see our images, docs, excel or pdf files.

This it is only a very small part of the reverse engineering in this area of IT. To know how to fight against the intruders you should use all your knowledge to understand how it is working. As a bonus you find inside some very personal information about the hacker. In this case that he is using Microsoft Office in Russian, so he knows this language more probable as native.

We hope that you liked this article, if yes don’t forget to share it on Facebook.

And don’t forget, never play with viruses on your computer if you don’t have enough knowledge about this. It is like you play with human viruses on your desk without any medicine class. Be careful. We are not responsible if you damage your or a third party computer using our posts.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *