Threat actors are increasingly using fake Microsoft and Google software updaters to attempt to infiltrate malware onto target systems.
The latest example is “HavanaCrypt”, a new ransomware tool that Trend Micro researchers recently discovered in the wild disguised as a Google Software Update application. The malware’s command and control (C2) server is hosted on a Microsoft web hosting IP address, which is quite rare for ransomware, according to Trend Micro.
According to the researchers, it’s also worth noting HavanaCrypt’s many techniques for checking whether it works in a virtual environment; malware use of open source KeePass Password Safe key manager code when encrypting; and its use of a .Net function called “QueueUserWorkItem” to speed up encryption. Trend Micro notes that the malware is probably a work in progress as it does not drop ransom note on infected systems.
HavanaCrypt is one of a growing number of ransomware tools and other malware that have been distributed in recent months as fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed “Magniber” doing the rounds disguised as Windows 10 updates. Earlier this year, Malwarebytes researchers observed operators of the Magnitude exploit kit trying to trick users into downloading it by disguising the malware as a Microsoft Edge Update.
As Malwarebytes noted at the time, fake Flash updates were an integral part of web-based malware campaigns until Adobe finally abandoned the technology due to security concerns. Since then, attackers have been using fake versions of other frequently updated software products in an attempt to trick users into downloading their malware, with browsers being one of the most commonly abused.
Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware, including ransomware, infostealers and Trojans, says analyst ‘Intel 471 who requested anonymity. “A non-technical user might be fooled by such techniques, but SOC analysts or incident responders are unlikely to be fooled,” the analyst says.
Security experts have long noted the need for organizations to implement multi-layered defenses to defend against ransomware and other threats. This includes controls for endpoint detection and response, user and entity behavior monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and identity and security control. strong access, including multi-factor authentication.
Since adversaries often target end users, it is also essential that organizations have strong practices in place to educate users about the risks of phishing and social engineering scams designed to trick them into downloading malware. or follow links to credential collection sites.
How HavanaCrypt works
HavanaCrypt is .Net malware that uses an open source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks whether the “GoogleUpdate” registry is present on the system and only continues its routine if the malware determines that the registry is not present.
The malware then goes through a four-step process to determine if the infected machine is in a virtualized environment. First, it checks the system for services like VMWare Tools and vmmouse that virtual machines typically use. Next, it searches for files related to virtual applications and then checks for specific filenames used in virtual environments. Finally, it compares the MAC address of infected systems with unique identifier prefixes typically used in virtual machine settings. If any of the checks show the infected machine is in a virtual environment, the malware terminates on its own, Trend Micro said.
After HavanaCrypt determines that it is not running in a virtual environment, the malware fetches and runs a batch file from a C2 server hosted on a legitimate Microsoft web hosting service. The batch file contains commands to configure Windows Defender to allow detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or desktop applications such as Microsoft Office.
HavanaCrypt’s next steps include deleting shadow copies on infected systems, removing data restoration features, and collecting system information such as the number of system processors, processor type, product number, and the BIOS version. The malware uses the QueueUserWorkItem function and KeePass Password Safe code as part of the encryption process.
“QueueUserWorkItem is a standard technique for creating thread pools,” says Intel analyst 471. “Using thread pools will speed up file encryption on the victim machine.”
With KeePass, the ransomware author copied the password manager tool code and used this code in his ransomware project. “The copied code is used to generate pseudo-random encryption keys,” the analyst notes. “If encryption keys were generated in a predictable and reproducible way, then it would be possible for malware researchers to develop decryption tools.”
The attacker’s use of a Microsoft hosting service for the C2 server highlights the broader tendency of attackers to cloak malicious infrastructure in legitimate services to evade detection. “There are a lot of problems housed in cloud environments today, whether it’s Amazon, Google or Microsoft and many others,” says John Bambenek, principal threat hunter at Netenrich. “The highly transient nature of environments makes reputation systems unnecessary.”