by RSS Joie Salvio and Rommel Joven  |  Nov 15, 2016  |  Filed in: Security Research

The US political season is over and a new President has been elected. This election has arguably been one of the most colorful (some might say entertaining) and controversial presidential election cycles in the country’s history. For cyber crooks, this has been just the right environment to target victims with their attacks and trolls.

In this post we take a look at some of the more notable US campaign-themed malware and scams. While some may induce false fears and a few laughs, others represent serious threats.

 “Donald Trump Ransomware”

Although the author of this malware claims it is ransomware, that’s not entirely true - in its current version at least. Instead, it appears to be in the very early stages of development because it doesn’t really encrypt any files. It simply encodes the filenames with a base64 algorithm, and it can restore them without asking for any ransom. This defeats the very definition of a ransom malware. Moreover, it only searches for files in a folder named “encrypt.”

So in its current state, it’s more of a half-baked scareware that was released just to make it in time for the campaign-themed malware bandwagon.

Fig.1 Screenshot of the “Donald Trump Ransomware” GUI

SHA 256: 4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4

Detection: MSIL/Drump.A!tr

"Donald Trump Anti-Virus PRO”

Malware, and even some grayware applications, are distributed for different reasons, mostly involving financial or espionage motivations. This application, however, strays from that tradition. It seems that its main motivation is simply to be absurdly funny. And to be honest, it got us real good.

Fig.2 Screenshot of the fake anti-virus  “scanning” the system

SHA 256: 212e4f0a5f37bcf8185b9247409d70cbfbbbbfe0bb58ca6c14c162af55e1b0b2

Detection:Riskware/FakeAV

“CIA Election AntiCheat Control” Scam

Compared to the previous entries, this application has a clear motivation. It’s a financial scam disguised as a notification from the CIA that lures voters to pay $50 to secure their votes. The transaction is made by purchasing a PaySafeCard and sending the code to the culprits. As usual, these sorts of scams are easy to detect, mostly because they are written so badly and don’t use normal American English conventions, such as placing the dollar sign after the dollar amount, like this – 4500$.

Fig.3 Fake election anti-cheat CIA notification

SHA256: 7751d0be4c5a3d08b6b6f7ec23c69b01faf88e7d88339a3d6245bdf3d0e0e4b3

Detection: MSIL/Agent.OFU!tr

Nanocore RAT/Keylogger

This malware does not display any image of a candidate or any logo of a government department (not that it needs one), but it gets the point across. It displays a message box upon execution while taking control of the system by installing a RAT (remote access trojan) server component of NanoCore.

Fig.4 Message box after executing the malware

Fig.5 Readable found in the malware’s binary

SHA 256: 0e83527ebd67a39d8438a04f92e908a0e49d7f3f99f3914e4a02d66f81aab505

Detection: MSIL/Nanocore.ELK!tr

“Hillary Meme Generator” - Syslogger Keylogger

Creating meme images from famous personalities’ highest and lowest moments has become a thing in social media. It was almost inevitable that someone would create an application to speed up the process. So, it was also inevitable that someone would create malware disguised as a meme generator for then presidential candidate, Hillary Clinton.

Fig.6 Filename of the malware in VirusTotal

Upon execution, an untrained user may only see a fake angry message box, when in fact a server component of the Syslogger Keylogger malware is being installed in the background.

Fig.7 Fake message box upon execution

Fig.8 Strings from the malware’s process

SHA256: 65fbcefd6c0674a8af46979ddd9ce992745b89b4e6ce18f08fc604a68a422ef4

Detection:MSIL/Syslogger.HLC!tr

Xtreme Keylogger

This last example uses very similar deception technique, only with a different malware payload. This variant shows an image of Donald Trump with an overlay of text from one of his speeches. Meanwhile, hidden from the user’s perspective, Xtreme Keylogger is being installed.

Fig.9 Decoy image featuring Donald Trump

Fig.10 Strings relating it to XtremeKeylogger

SHA 256: 1c81ee9a559da957bb94dcc8135c96e3b259f137cccbb9090d40cf10067e8325

Detection: MSIL/Xtreme.AZFJ!tr

 

Another Trump Ransomware

Compared to the earlier variant of this attack described above, this variant now truly encrypts files and ask for a ransom of $10. Both variants are currently live and in the wild.

Fig. 11 Updated Trump Ransomware screenshot

The encryption used by this ransomware is AES-128. It also changes the original file name by randomizing a new file name, and appends its extension as .TRUMP.

{RandomFileName}.TRUMP

Targeted system special folders:

Targeted extensions:

.rdp .png .3dm .3g2 .3gp .aaf .accdb .aep .aepx .aet .ai .aif .arw .as .as3 .asf .asp .asx .avi .bay .bmp .cdr .cer .class .cpp .cr2 .crt .crw .cs .csv .db .dbf .dcr .der .dng .doc .docb .docm .docx .dot .dotm .dotx .dwg .dxf .dxg .efx .eps .erf .fla .flv .idml .iff .indb .indd .indl .indt .inx .jar .java .jpeg .jpg .kdc .m3u .m3u8 .m4u .max .mdb .mdf .mef .mid .mov .mp3 .mp4 .mpa .mpeg .mpg .mrw .msg .nef .nrw .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pdb .pdf .pef .pem .pfx .php .plb .pmd .pot .potm .potx .ppam .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .pst .ptx .r3d .ra .raf .rar .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .wps .x3f .xla .xlam .xlk .ARIZ0NA.xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xqx .zip .class.html .setup .dll .txt .ini .exe .jar .php .htm .bat .cmd .com .dos .pl .json .py .python .word

Clicking Decrypt Your PC after encryption it appears to check if ransom has been paid. However, based on its code, it turns out that it doesn’t really check anything. It just prompts the message box shown below regardless of whether or not you have paid at the designated bitcoin address.

Though the ransomware does contain functions to decrypt the files and restore them to their original filenames, this sample has no reference to calling this function.

Our analysis is that even this variant of ransomware is still in development,  it has the potential to become a legitimately dangerous member of the ransomware family of attacks. We will continue to monitor it and provide updates should new versions be released.

Fig. 12 Message Box prompts in Clicking Decrypt your PC

 

Thanks to @threatfighter for the sample.

SHA 256: 99a64960cdb5c24c738f33b630d0f7366035f93a4a6b323f35473b41b152972e

Detection: MSIL/Drump.B!tr

Conclusion

In a social engineering scheme, the chance of infecting a target highly depends on being able to trick the user into executing the malware. An effective way to do this is to use popular or interesting contexts. And over the past few months, the US presidential campaigns have unarguably been one of the most talked about topics worldwide. And as evidenced by this post, malware authors took advantage of this trending event.

This kind of modus operandi will continue, as it always has, and we will always be on the lookout for the next ones.

-= FortiGuard Lion Team =-

Updated as of November 22,2016

IOC

 

SHA 256: 4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4

Detection: MSIL/Drump.A!tr

 

SHA 256: 212e4f0a5f37bcf8185b9247409d70cbfbbbbfe0bb58ca6c14c162af55e1b0b2

Detection:Riskware/FakeAV

 

SHA256: 7751d0be4c5a3d08b6b6f7ec23c69b01faf88e7d88339a3d6245bdf3d0e0e4b3

Detection: MSIL/Agent.OFU!tr

 

SHA 256: 0e83527ebd67a39d8438a04f92e908a0e49d7f3f99f3914e4a02d66f81aab505

Detection: MSIL/Nanocore.ELK!tr

 

SHA256: 65fbcefd6c0674a8af46979ddd9ce992745b89b4e6ce18f08fc604a68a422ef4

Detection:MSIL/Syslogger.HLC!tr

 

SHA 256: 1c81ee9a559da957bb94dcc8135c96e3b259f137cccbb9090d40cf10067e8325

Detection: MSIL/Xtreme.AZFJ!tr

 

SHA 256: 99a64960cdb5c24c738f33b630d0f7366035f93a4a6b323f35473b41b152972e

Detection: MSIL/Drump.B!tr

 

by RSS Joie Salvio and Rommel Joven  |  Nov 15, 2016  |  Filed in: Security Research

comments powered by Disqus