09/02/2016
17:38

Fake DHL invoice delivers a new TeslaCrypt 3.0 variant!

This TeslaCrypt 3.0 variant, like the older ones, encrypts files and renames them with ".micro" extension, and demands a ransom.

Starting from 8th February 2016, a new wave of infected emails, carrying a TeslaCrypt 3.0 variant, has been registered by TG Soft's Research Centre (C.R.A.M.). These emails in particular try to imitate DHL invoices.
The user is invited to download and open the attachment. By doing so, encryption of local and shared data starts to take place.

INDEX

==> How TeslaCrypt 3.0 works
 
==> The ransom demanded by TeslaCrypt 3.0

==> How to stay safe from TeslaCrypt 3.0

==> How to contain TeslaCrypt 3.0 encryption damage

==> Is it possible to decrypt .micro files?

==> Final thoughts
This encryption is due to a TeslaCrypt 3.0 attack - encrypted files are also renamed with .micro extension, and a ransom is demanded for their decryption. Your pc is being attacked by a cryptomalware   


How TeslaCrypt 3.0 works

This wave of fake DHL invoices have the following subject:
DHL DeliverNow Notification Card on lost shipment (First Notice) or
DHL DeliverNow Notification Card on lost shipment (Second Notice)
 
The attachment is a .zip archive contained into another .zip archive, which contains a Javascript file named INVOICE_SCAN_<random>.XLS.js or INVOICE_SCAN_<random>.DOC.js.

Attachment structure:
DHL_Notification_card.zip → FILE.ZIP → INVOICE_SCAN_<random>.XLS.js
 
Javascript files' naming pattern is similar to the following:
 
  • invoice_scan_GGpV4k.xls.js
  • invoice_GWJfQG.doc.js
 
The size of DHL_Notification_card.zip is about 2 KB.
The size of the Javascript file is about 5 KB (5,010 byte)
 Click to show the picture fullscreen
Click to show the picture fullscreen

The execution of the Javascript file prompts the download of the file 26.exe (downloaded from blixzbauta.com or gutentagmeixliebeff.com), which carries the TeslaCrypt malware. This file is then renamed to a random number (i.e. 2097152.exe) and run from the user's temporary folder (%TEMP%); then, it is copied with a random name and added to the Windows Registry, to be automatically run:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[dsfgsdf-67597869] = %user profile%\Application Data\xluuvys.exe
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[dsfgsdf-67597869] = %user profile%\Application Data\xluuvys.exe
 
Files are then encrypted with .micro extension.
 
Filename: 2097152.exe
MD5: 6AED2D44887D40D3683DE406D56A3BA9
Size: 439.296 bytes

Back to top


The ransom demanded by TeslaCrypt 3.0

TeslaCrypt 3.0 demands a ransom to have data decrypted - the equivalent of 500 USD in BitCoin for every key. This means that if the user reboots the computer n times, files are going to be encrypted with n+1 different keys, so the amount of money that will have to be paid to have all files decrypted will be 500*(n+1). For exapmple: 2 reboots, 3 keys → 3*500 = 1'500 USD in BTC.
Back to top

How to stay safe from TeslaCrypt 3.0

One should never forget that links and email attachments could hide viruses/malwares. This rule applies to emails coming from unknown addresses, but also to apparently familiar ones from which an email with attachment (such as an invoice) was not expected. Vir.IT eXplorer PRO users have a great chance to save all their data from encryption!

It was stated in our previous bulletins that Vir.IT eXplorer PRO's Anti-CryptoMalware module was able to stop these attacks saving up to 99.63% of files, allowing a complete recovery of encrypted files thanks to backup technologies, namely:
  • On-The-Fly Backup;
  • Vir.IT BackUp.

This only occurs if Vir.IT eXplorer PRO is:

  • correctly INSTALLED;
  • UP-TO-DATE;
  • properly CONFIGURED - Anti-Crypto Malware technology has to be active in the Settings tab of Vir.IT Security Monitor (it is active by default); plus Vir.IT BackUp has to be configured and running.


Starting with version 8.0.98, Vir.IT eXplorer PRO can "snatch" TeslaCrypt 3.0 encryption key on-the-fly in the early stages of the attack, thus making a decryption feasible - it can be done with the assistance from TG Soft's tech support.
Remember - every time the malware is executed, a new encryption key is used. This means that every time the computer is rebooted and the malware is still active, TeslaCrypt will use a different key (n reboots → n+1 different keys).

Back to top

How to contain TeslaCrypt 3.0 encryption damage

Since a new key is created every time the malware is executed - which only happens when the computer is rebooted - the computer should always stay turned on, in order to have the minimun number of keys possible, and qualified tech support (such as TG Soft's) should be contacted immediately.

When the Alert shown in the picture pops up on the screen, Vir.IT eXplorer PRO's Anti-CryptoMalware module has come into action, halting the malware. Do not panic and perform these operations:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.


    5. In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.

 

 Anti-Crypto Malware protection screenshot
Click to show the picture fullscreen
 

99,63%*

Mean percentage of files protected from encryption thanks to Vir.IT eXplorer PRO


Is it possible to decrypt .micro files?

Yes, if Vir.IT eXplorer PRO was correctly set up before the attack and it snatched encryption keys.
Back to top

Final thoughts

We invite you to be very careful when opening email attachments. If you are not waiting for a parcel then you really shouldn't open emails like the one we analyzed.
Always double-check the sender's email address (which is not the sender's name) before opening an attachment: in our sample email there is a mismatch between the name and the address:

SENDER:
DHL DeliverNow Network ljjzwctwhs@kabulwala.com



Note that the email address is totally random and is not related with DHL. This also applies to other fake invoices.
 The email address is fake
Click to show the picture fullscreen

If you opened an infected attachment and an encryption started to take place, you could either:
  1. have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;
  2. have a AntiVirus software that doesn't detect, signal and halt the ongoing encryption - in this case you still may want to
    • UNPLUG EVERY NETWORK CABLE
    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highly not recommended).
Either way, remain calm and do not panic.


TG Soft
Public relations
Back to top
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: