The malware also uses COM object (component object model objects) to hide string extractions, and deletes zone identifiers, in the name of evasion. She added that the command and control servers hosting TeslaCrypt have a finite shelf life before the attackers take them down and move them. Rousseau said that it took detection tools as many as four days to catch up to the technique and incorporate into signatures. The use of Wscript complicates detection as well because the traffic appears to be legitimate Windows communication. “It’s much harder for to detect if it’s not scanning memory.
“It’s really like they are trying hard to hide strings in memory,” Rousseau said.
#SPAM WITH A .7Z FILE EXTENSION CODE#
Rousseau said, adding that analysis of the malware has become a challenge because it initiates many code threads and debugging techniques to frustrate security tools.
#SPAM WITH A .7Z FILE EXTENSION ZIP FILE#
zip file attachment, a JavaScript downloader is launched which uses Wscript, the Windows Script Host, to download the TeslaCrypt binary from greetingsyoungqqcom/80.exe. In this case, when the victim executes the infected. The use of spam to move TeslaCrypt is also a departure from recent outbreaks where exploit kits were infecting WordPress and Joomla websites and silently loading ransomware onto compromised machines. Version 4.1A has been in circulation for about a week, Rousseau said, and targets a wide range of the usual file extensions, plus a handful of news ones that merit notice. These samples, researcher Amanda Rousseau told Threatpost, were found in attachments of large-scale spam campaigns purporting to be shipping delivery notifications. Researchers at Endgame Inc., have found two updates for the cryptoransomware in the past two weeks that invest heavily in obfuscation and evasion techniques, and also target a host of new file extensions. TeslaCrypt, like many of its ransomware cousins, doesn’t sleep on past success.