[Blaze]

http://blog.fox-it.com/2014/10/15/torre ... therlands/

Samples from:
http://blog.trendmicro.com/trendlabs-se ... n-targets/

[ydklijnsma]

Published an updated blog regarding stats and known C2 servers: http://blog.fox-it.com/2014/10/21/updat ... ansomware/

[Blaze]

Latest one attached.

[Grinler]

Thanks Blaze.

Been looking since last week for the malicious docs that instal TorrentLocker.

I have been able to locate a few of these malicious word docs, but they don't seem to drop a ransomware payload. Instead they were installing downloaders from a variety of sites using the path /js/bin.exe and saving them as names like calc1.exe. Derek (DVK01) felt that the docs payload are installing downloaders that may eventually install a ransomware, but not initially.

Anyone able to find one that actually installs TorrentLocker as described by the Fox-IT blog?

[Blaze]

Haven't been able to locate any of the DOC files. Attached some alleged droppers as well, but can't test myself now unfortunately.

Cheers!

[Mosh]

Friends, fyi I found this on 100.42.62.205 (US).

[sysopfb]

What people are calling Teerac and AV is calling Win32.Teerac is just a variant of TorrentLocker that matches the reports from welivesecurity.com and the FoxIT blog post with the exception of an additional subdomain generation based on a hardcoded domain.

Though they usually resolve to the same IP as the hardcoded domain but I didn't see that mentioned in a report(correct me if I'm wrong)
Example:

Code: Select all

oduqaw.vjivebilan.org (31.170.104.60)
egfz.vjivebilan.org (31.170.104.60)
agusel.vjivebilan.org (31.170.104.60)
opaqiqqpaw.vjivebilan.org (31.170.104.60)
oqtsmfoz.vjivebilan.org (31.170.104.60)
yqaqoq.vjivebilan.org (31.170.104.60)
ykezovaniri.vjivebilan.org (31.170.104.60)
ifttirygema.vjivebilan.org (31.170.104.60)
abpcyla.vjivebilan.org (31.170.104.60)
ibijopy.vjivebilan.org (31.170.104.60)

I went through a few samples confirming most of what I had read in regards to the code-reuse from HesperBot and the outlook and smtp server information theft using MAPI via COM.

Whitepaper is attached but I didn't check it over much so if anyone sees something that needs fixed let me know.

Sample hash list:

Code: Select all

89edb283b3a3c892cb8ed7fa893aff5f36982fc3f4657c3b0723351212ded3e6
c4928426873726e4eeb341aaea33d07f41cef58193eb1655bfe1ee6a97afd4c8
2c6b46b60b4ddb5e75a45a9ba2e57a60a1d95bd798bac6b3036ecde237dddb74
56cbf1281a50e0082a1db873bec0097b61c6074152d40598f73c094d37674ea6
6ef7c2cd280b17ea104f7c9c75711992176bb2b854424b779e6da7becda8d998
43d0b93f825a60c676eeab175cc11eea07f1b598bee08bf57d99c64f41a9b8c6
580c61c84d588f32b0cb6b4203cf5918a0c63a15b1529d5ea0ba105b59ab4373
7db8759c7260b71866d896c9a381f47b8d7e452aea3d1d8aab41e38085ccfb70
fe17addfb458cf66f4a922f342baf4337ec33e9e1aa3b715ec94e676ca74417b
c9e9f81c9438ea7a062b41bbb1c121f88b6a372c4eb15030c50a3f16b714b62d
3c38e1e5956c2a9f6fe4f33d52d5c1ddbdc2e43abeda25b16f7ae4aa7eaa610f
f5f7cb83a8f229b96a39f2be7a686fdecd717f2519ffe5b62bc98ff439b6f583
545f991909341b92702a0aa2aa18c4ccceefad207af2180aeed24f5c1b346037

Observed C2 domains:

Code: Select all

megezawone.net
vodleklina.org
pyjtoxoyr.org
ioytoxpaire.net
kdiertyjoxeg.com
vjivebilan.org
jgiwoxoqlwez.com
rygzatyee.com
asoijaisojais.net
nemexcikx.net
kheoyostowe.net
lderktdfphje.net

Observed C2 ips:

Code: Select all

31.170.104.60
188.225.34.221
80.78.253.130
91.214.114.122

[xors]

One more

[xors]

One more. Uploaded on VirusTotal yesterday.

[xors]

Found today one more