After several months of silence, the author of Petya comes alive with a brand new version Goldeneye 4.0.
Last week, starting from the 6th of December, there has been a spam campaign that hit Germany spreading the version of Goldeneye and Petya though e-mails.
The spam campaign was confirmed by Janus, the creator of Petya Goldeneye, on the 7th of December thought a tweet:
The C.R.A.M. (Center of Research and Analysis of Malware) of TG Soft has analysed this new variant in order to establish the differences between previous releases.
CONTENTS==> How Petya Goldeneye spreads
==> Running Goldeneye: Mischa ransomware
==> Running Goldeneye: Petya ransomware phase 1
==> Running Goldeneye: Petya ransomware phase 2
==> Running Goldeneye: Petya ransomware phase 3 ransom request
==> The ransom requested by Petya Goldeneye
|The new variant of Petya Goldeneye spreads through e-mails. The spam campaign which has been observed starting from the 6th of December hit mainly the german market and, like all previous cases, the e-mail still refers to recruitment possibilities. In this case the e-mail was a candidacy for a work place in the production of optoelectronic devices.
The subject of the e-mail can have the similar form:
Bewerbung als Facharbeiter für die Fertigung optoelektronischer Bauteile
Click to enlarge
|Sehr geehrte Damen und Herren,
hiermit bewerbe ich mich bei Ihnen für die die Stelle als Facharbeiter für die Fertigung optoelektronischer Bauteile. Meine vollständigen Bewerbungsunterlagen können Sie dem Anhang entnehmen.
Ich freue mich auf Ihre Rückmeldung und stehe Ihnen bei Rückfragen jederzeit gerne zur Verfügung.
Mit freundlichem Gruß
|You became victim of the GOLDENEYE RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way
to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for
"access onion page".
2. Visit one of the following pages with the Tor Browser:
3. Enter your personal decryption code there:
|The sector 0 of the MBR is infected by the Petya loader code and, as we can see in the following image, the length of this code is of 147 byte.
From sector 1 to 0x20 we can find the viral code of Petya.
Sector 0x21, during the first phase, is only filled with the byte 0x07.
This sector however will be encrypted during phase 2 and during the 3rd and final phase it will be used to ensure the correction of the key.
Sector 0x22 contains the Master Boot Record encrypted with either xor 0x07 as we can observe in the following image.
Sector 0x23, during this phase only contains 0.
|On the other hand, sector 0x21 will also result encrypted, as we can see in the following image:|
|In sector 0x23 we can find the number of encrypted clusters, as we can see in the following image:|
|Connecting with the Tor-Onion browser to the previously specified addresses it's possible to discover the amount of the ransom that has to be paid. On the first page, the ID of the victim is requested.
|On the second page, the total amount that has to be payed is displayed and quantified in Bitcoin currency:|
|On the third page we can view the address of the wallet on which to transfer the funds in Bitcoin.|
|It is also possible to send a message to the creators of the fraud that uses Petya Goldeneye:|
|Petya 1. 0 Red version||March 2016||It's possible to decrypt the MFT with genetic or metaeuristic algorithms such as "Cuckoo Search"|
|Petya 2.0 Green version + Mischa||May 2016||Petya or Mischa get run.
It's possible to decrypt the MFT through Brute Force (num. of combinations 548)
|Petya 3.0 Green version + Mischa||July 2016||Petya or Mischa get run.
It's possible to decryopt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT.
|Petya Goldeneye Yellow version + Mischa||December 2016||First, the data files are encrypted by Mischa, afterwards the MBR gets infected bypassing the intermediate level of the UAC.
It's possible to decrypt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT.