New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor

New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor

ESET researchers dissect an Android app that masquerades as an first price COVID-19 contact-tracing app and encrypts files on the sufferer’s instrument

Modern ransomware CryCryptor has been focusing on Android customers in Canada, distributed by technique of two web sites beneath the guise of an first price COVID-19 tracing app supplied by Health Canada. ESET researchers analyzed the ransomware and created a decryption instrument for the victims.

CryCryptor surfaced exact a few days after the Canadian government formally announced its intention to support the improvement of a nation-broad, voluntary tracing app known as COVID Alert. The first price app is thanks to be rolled out for testing within the province of Ontario as quickly as subsequent month.

ESET instructed the Canadian Centre for Cyber Safety about this threat as quickly as it became known.

Figure 1. One of the malicious distribution web sites; the diversified one has identical rating and differs utterly in its domain, covid19tracer[.]ca.

Once the user falls sufferer to CryCryptor, the ransomware encrypts the files on the instrument – the entire most total styles of files – however as a replacement of locking the instrument, it leaves a “readme” file with the attacker’s email in every directory with encrypted files.

Happily, we were ready to rating a decryption instrument for those that drop sufferer to this ransomware.

After we noticed the tweet that brought this ransomware to our radar (the researcher who chanced on it mistakenly labeled the malware as a banking trojan), we analyzed the app. We chanced on a trojan horse of the kind “Rotten Export of Android System” that MITRE labels as CWE-926.

On account of this trojan horse, any app that is installed on the affected instrument can commence any exported provider supplied by the ransomware. This allowed us to rating the decryption instrument – an app that launches the decrypting functionality constructed into the ransomware app by its creators.

Encryption/functionality

After commence, the ransomware requests to rating entry to files on the instrument. After acquiring that permission, it encrypts files on external media with particular extensions, that are confirmed in Figure 2.

Figure 2. File extensions to be encrypted

Selected files are encrypted the utilize of AES with a randomly generated 16-personality key. After CryCryptor encrypts a file, three contemporary files are created, and the distinctive file is removed. The encrypted file has the file extension “.enc” appended,  and the algorithm generates a salt distinctive for every encrypted file, saved with the extension “.enc.salt”; and an initialization vector, “.enc.iv”

Figure 3. Recordsdata after encryption

After the entire target files are encrypted, CryCryptor displays a notification “Private files encrypted, gape readme_now.txt”. The readme_now.txt file is placed in every directory with encrypted files.

Figure 4. File encryption notification (left) and contents of the readme_now.txt file (ideal)

Decryption

The provider to blame for file decryption in CryCryptor has the encryption key saved in shared preferences, which formulation it doesn’t possess to contact any C&C to retrieve it. Importantly, the provider is exported with out any restriction within the Android Manifest (safety weakness CWE-926), which formulation it is likely to commence it externally.

Basically based on this, we created an Android decryption app for those affected with the CryCryptor ransomware. Naturally, the decryption app works utterly on this model of CryCryptor.

A brand contemporary ransomware family

The CryCryptor ransomware is primarily primarily based on originate offer code on GitHub. We chanced on it there the utilize of a easy search primarily primarily based on the app’s kit establish and a few strings that regarded distinctive.

The developers of the originate offer ransomware, who named it CryDroid, must possess known the code could well be frail for malicious applications. In an strive to hide the mission as overview, they explain they uploaded the code to the VirusTotal provider. While it’s unclear who uploaded the sample, it certainly appeared on VirusTotal the same day the code became published on GitHub.

Figure 5. The originate offer ransomware

We push apart the explain that the mission has overview applications – no to blame researcher would publicly liberate a instrument that is easy to misuse for malicious applications.

We notified GitHub about the personality of this code.

ESET merchandise present safety towards the CryCryptor ransomware, detecting it as Trojan.Android/CryCryptor.A. On prime of the utilize of a high quality mobile safety resolution, we expose Android customers to set up apps utterly from reputable sources equivalent to the Google Play store.

Timeline:

  • Jun 11, 2020: offer code published– CryDroid v1.1
  • Jun 11, 2020: code uploaded to VirusTotal
  • Jun 12, 2020: first malicious domain that distributed this sample became registered
  • Jun 18, 2020: malicious app (this Android ransomware) became compiled (primarily primarily based on its certificates)
  • Jun 21, 2020: 2d malicious domain that distributed this sample became registered
  • Jun 23, 2020: ESET informs Canadian Heart for Cyber Safety
  • Jun 23, 2020: the 2 domains stopped responding

Now we possess ready a video that that reveals the path of of encryption and decryption, alongside with our clarification.

Indicators of Compromise (IoCs)

Kit establish Hash ESET detection establish
com.crydroid 322AAB72228B1A9C179696E600C1AF335B376655 Trojan.Android/CryCryptor.A

Distribution hyperlinks

https://covid19tracer[.]ca/
https://tracershield[.]ca/

MITRE ATT&CK programs

Tactic ID Title Description
Initial Earn admission to T1476 Deliver Malicious App by technique of Other Manner The malware is downloaded from false web advise
Initial Earn admission to T1444 Masquerade as Respectable Utility It impersonates COVID-19 tracking app
Persistence T1402 App Auto-Commence at Device Boot It listens for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality could well be activated every time the instrument begins
Affect T1471 Data Encrypted for Affect Encrypts files with explicit file extensions chanced on on external media



Lukas Stefanko

Proceed…