{ "type": "bundle", "id": "bundle--58259da4-7a10-4077-b31c-40cf950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:45:56.000Z", "modified": "2016-11-11T10:45:56.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58259da4-7a10-4077-b31c-40cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:45:56.000Z", "modified": "2016-11-11T10:45:56.000Z", "name": "OSINT - The first cryptor to exploit Telegram", "published": "2016-11-11T10:47:20Z", "object_refs": [ "x-misp-attribute--58259ddc-30d8-4ee2-95ed-40d1950d210f", "observed-data--58259df1-c488-4220-b436-41a5950d210f", "url--58259df1-c488-4220-b436-41a5950d210f", "indicator--58259e3d-2e24-4128-87d1-4d02950d210f", "indicator--58259e3d-5208-43aa-bb76-48d5950d210f", "indicator--58259e6a-3bb4-4206-aa0e-4a7e02de0b81", "indicator--58259e6a-6864-4733-a33b-45b902de0b81", "observed-data--58259e6b-67a4-48a1-9c8c-487402de0b81", "url--58259e6b-67a4-48a1-9c8c-487402de0b81", "indicator--58259e6b-6eb0-40a8-b892-4d3902de0b81", "indicator--58259e6c-2474-458b-bb5a-4de702de0b81", "observed-data--58259e6c-ee68-4f25-8b74-4eb802de0b81", "url--58259e6c-ee68-4f25-8b74-4eb802de0b81", "x-misp-attribute--58259eea-9530-496c-90f3-4a30950d210f", "x-misp-attribute--58259eea-ce48-4930-9d09-4ae7950d210f", "indicator--58259f06-3824-4a78-9a3e-4590950d210f", "x-misp-attribute--58259f69-9228-457f-9e23-4769950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "circl:incident-classification=\"malware\"", "ecsirt:malicious-code=\"ransomware\"", "malware_classification:malware-category=\"Ransomware\"", "ms-caro-malware:malware-type=\"Ransom\"", "enisa:nefarious-activity-abuse=\"ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58259ddc-30d8-4ee2-95ed-40d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:30:52.000Z", "modified": "2016-11-11T10:30:52.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger\u00e2\u20ac\u2122s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.\r\nWhat is a cryptor?\r\n\r\nIn general, cryptors can be classified into two groups: those which maintain offline encryption and those which don\u00e2\u20ac\u2122t.\r\n\r\nThere are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim\u00e2\u20ac\u2122s encrypted files.\r\n\r\nObviously, a special service is required on the threat actor\u00e2\u20ac\u2122s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58259df1-c488-4220-b436-41a5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:31:13.000Z", "modified": "2016-11-11T10:31:13.000Z", "first_observed": "2016-11-11T10:31:13Z", "last_observed": "2016-11-11T10:31:13Z", "number_observed": 1, "object_refs": [ "url--58259df1-c488-4220-b436-41a5950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58259df1-c488-4220-b436-41a5950d210f", "value": "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e3d-2e24-4128-87d1-4d02950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:32:29.000Z", "modified": "2016-11-11T10:32:29.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the main module)", "pattern": "[file:hashes.MD5 = '3e24d064025ec20d6a8e8bae1d19ecdb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:32:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e3d-5208-43aa-bb76-48d5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:32:29.000Z", "modified": "2016-11-11T10:32:29.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the \u00e2\u20ac\u02dcInformer\u00e2\u20ac\u2122 module).", "pattern": "[file:hashes.MD5 = '14d4bc13a12f8243383756de92529d6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:32:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e6a-3bb4-4206-aa0e-4a7e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:14.000Z", "modified": "2016-11-11T10:33:14.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the \u00e2\u20ac\u02dcInformer\u00e2\u20ac\u2122 module). - Xchecked via VT: 14d4bc13a12f8243383756de92529d6d", "pattern": "[file:hashes.SHA256 = '63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e6a-6864-4733-a33b-45b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:14.000Z", "modified": "2016-11-11T10:33:14.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the \u00e2\u20ac\u02dcInformer\u00e2\u20ac\u2122 module). - Xchecked via VT: 14d4bc13a12f8243383756de92529d6d", "pattern": "[file:hashes.SHA1 = '54b8fc5de74856d90cad60da8cc41b98940e6a15']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58259e6b-67a4-48a1-9c8c-487402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:15.000Z", "modified": "2016-11-11T10:33:15.000Z", "first_observed": "2016-11-11T10:33:15Z", "last_observed": "2016-11-11T10:33:15Z", "number_observed": 1, "object_refs": [ "url--58259e6b-67a4-48a1-9c8c-487402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58259e6b-67a4-48a1-9c8c-487402de0b81", "value": "https://www.virustotal.com/file/63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f/analysis/1478849458/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e6b-6eb0-40a8-b892-4d3902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:15.000Z", "modified": "2016-11-11T10:33:15.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the main module) - Xchecked via VT: 3e24d064025ec20d6a8e8bae1d19ecdb", "pattern": "[file:hashes.SHA256 = '3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:33:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259e6c-2474-458b-bb5a-4de702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:16.000Z", "modified": "2016-11-11T10:33:16.000Z", "description": "Trojan-Ransom.Win32.Telecrypt.a (the main module) - Xchecked via VT: 3e24d064025ec20d6a8e8bae1d19ecdb", "pattern": "[file:hashes.SHA1 = 'aaf26fd22d5cab24dda2923b7ba6b131772b3a68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:33:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58259e6c-ee68-4f25-8b74-4eb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:33:16.000Z", "modified": "2016-11-11T10:33:16.000Z", "first_observed": "2016-11-11T10:33:16Z", "last_observed": "2016-11-11T10:33:16Z", "number_observed": 1, "object_refs": [ "url--58259e6c-ee68-4f25-8b74-4eb802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58259e6c-ee68-4f25-8b74-4eb802de0b81", "value": "https://www.virustotal.com/file/3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567/analysis/1478857845/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58259eea-9530-496c-90f3-4a30950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:35:22.000Z", "modified": "2016-11-11T10:35:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Trojan-Ransom.Win32.Telecrypt" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58259eea-ce48-4930-9d09-4ae7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:35:22.000Z", "modified": "2016-11-11T10:35:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "PDM:Trojan.Win32.Generic" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58259f06-3824-4a78-9a3e-4590950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:36:09.000Z", "modified": "2016-11-11T10:36:09.000Z", "description": ". The Trojan\u00e2\u20ac\u2122s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file", "pattern": "[file:name = '\\\\%USERPROFILE\\\\%\\\\Desktop\\\\\u00d0\u2018\u00d0\u00b0\u00d0\u00b7\u00d0\u00b0 \u00d0\u00b7\u00d0\u00b0\u00d1\u02c6\u00d0\u00b8\u00d1\u201e\u00d1\u20ac \u00d1\u201e\u00d0\u00b0\u00d0\u00b9\u00d0\u00bb\u00d0\u00be\u00d0\u00b2.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-11T10:36:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58259f69-9228-457f-9e23-4769950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-11T10:37:29.000Z", "modified": "2016-11-11T10:37:29.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_type": "comment", "x_misp_value": "https://api.telegram.org/bot/sendmessage?chat_id=&text=__\r\n\r\nThe Trojan sends the next request using the method \u00e2\u20ac\u02dcsendMessage\u00e2\u20ac\u2122 which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an \u00e2\u20ac\u0153infection successful\u00e2\u20ac\u009d report to its creators:\r\n\r\nhttps://api.telegram.org/bot/sendmessage?chat_id=&text=__\r\n\r\nThe Trojan sends the following parameters in the request:\r\n\r\n \u00e2\u20ac\u201c number of the chat with the cybercriminal;\r\n\r\n \u00e2\u20ac\u201c name of the infected computer;\r\n\r\n \u00e2\u20ac\u201c infection ID;\r\n\r\n \u00e2\u20ac\u201c number used as a basis to generate the file encryption key.\r\n\r\nAfter sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes." }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }