A lot of discussion is currently ongoing about the WannaCry or WCRY ransomware. I’ll do my best to not retread that information. There’s plenty of sources for hashes, onion domains, and various other atomic indicators to go around for everyone. Just do a rapid raw search in your favorite search engine or haunt twitter and you’ll fall across dozens quite easily. Securelist has a very nice write up on the incident. It’s a good jump start if you haven’t a lot of data on the subject. Regardless, this worm/ransomware is doing a number on institutions worldwide as you can tell by this nifty attack map provided by the folks at Malwaretech.
Let’s talk about a few things relating to threat intelligence and the WannaCry (WCry) ransomware.
Virustotal (VT) is a bustle with files relating to this incident. It didn’t take long after the morning news to spread before files of all types starting blooming like onions on VT. In and among the many encrypted files and portable executable (PE) files that are the actual malware were some interesting RAR files that look to be the host containers for the malware and all its assorted files. Nothing is true without hashes or PCAPs, so let’s toss out some hashes:
I found this particular RAR file pretty interesting. It was huge, weighing in at 6.7MB to be precise. The snapshot above shows a listing of its contents (Courtesy of VT). As you can see, its pretty obvious that not a lot of effort was spent trying to disguise. It was even conveniently named “fmeiwywvhdwc876 – 複製.rar”. I found plenty of companion RAR files like “hqonbwnpwo887.rar”, which were nearly identical in contents though significantly more sizable (9.7MB).
An interesting point was the naming of the files followed a pattern, pretty much a string of random letters followed by a set of numbers, usually 2-3 values in length based off the files reviewed. Of course, right after I was happily thinking it would stay in tune to that thinking I found a couple that seemed to be a completely different pattern. Totally threw off my happy thoughts about determining if the naming convention hinted towards how the ransomware was being spread (burst, waves, etc.).
[minti_blockquote] Side Note: It can be tricky on virus total to find the more in the wild (ITW) naming conventions versus what a researcher or program has uploaded. Keep that in mind when using naming conventions as a research pivot. Some thing are giveaways, like finding a RAR whose password is “infected”. Some are less obvious. [/minti_blockquote]
Here’s another RAR very similarly arranged (snapshot is almost identical so I opted to not include):
It’s really not all that different: file name “byytwrsjrbxfg387.zip” and file size right at 6.7MB.
Let’s get down to brass tacks. I’ve summarized my observations on the assorted files after some filtering — while the internal files are interesting, they are being covered in detail. I’m more keen on the container and delivery mechanism to get to the tactic and procedure in play here.
- File sizes were sizable, ~2-15 MB in size.
- Naming convention held pretty steady with random alphanumeric of ~4-22 character length and RAR, ZIP, GZIP, and 7z ending.
- The archives contained a ton of files (like the 46 files show in the image above) or as few as a 1-3 files like the snapshot below shows.
Let’s do some quick negation for a second.
This type of file delivery is unlikely to be via drive-by download. Not going to completely rule it out, but I’d throw it toward the bottom of probability. Here’s the logic:
- Attacks are very widespread; drive-by attacks are more selective and localized.
- Archived containers seem to be pretty standard in the delivery. I’ve also seen PDFs and Word documents noted by others but they are typically decoys dropped by the downloader versus the actual delivery mechanism.
- Timing of attacks. The morning attacks were followed by waves of reporting as entities were lit up by this malware in succeeding hours. While I’ve not finished a solid timeline it looks like a good classic wave attack with short burst cycles of infection.
Let’s consider phishing + attachment for a second. Again, I’d say unlikely, mainly from file sizes – its tough to get files of that size consistently into so many different environments. However, an attachment with a good call to action or containing a link would definitely get a foot in the door.
Phishing, though, does make sense as a likely attack vector. Old methods are still the best methods and sending along a link or instructions in a call to action within a phish seems a high confidence match to this type of attack. To bring a file of the sizes observed its most likely a cloud phishing tactic. Here’s some thoughts on why:
- The call to action would make sense to why you might download an archive (RAR, zip, 7z), especially one of the noted sizes. The link could also pull down a file that leads to the archive file download as well.
- A link to the archive wouldn’t necessarily standout as malicious. Making it from dropbox or google docs means detection would fall on the user versus perimeter security. Unless blocked by topic, even an okay-crafted cloud phishing email would go past email sensors.
- Even if the email was converted to plaintext and the links stripped, a plaintext version of the link would still be valid and work.
- Failing all else, a deceptive instruction-based call to action could guide a victim to downloading the zip file and executing it (no self extracting archives were noted in my reviews).
So my vote is on cloud phishing or deception phishing as the vector that will bubble to the surface for this attack. How it spreads (MS17-010) and what it is (WCry ransomware) looks well established. The attack vector? Undetermined. My money is on cloud phishing.