2016-11-14

A lot of people, located around the world, have been infected with ransomware – a type of malware that encrypts computer files and demands payment to have them unlocked. Some professionally written ransomware has been so financially successful for their authors, such as Locky and Cerber, that many others have begun to emerge to take a piece of the pie.

The researchers of the ART team at Fortinet have recently discovered a new malware. While it still locks the user’s computer and demands they follow instructions to have it unlocked, this time it doesn’t require them to pull out their wallets to pay a ransom. Instead, it forces them to take a tedious survey in order to unlock their computers.

So, of course: A survey of this malware is in order.

It’s selectively “LOCKED”

This malware blocks the victim’s desktop and claims that it has been “LOCKED.” It also asks the user to complete an online survey in order to get the password that unlocks the computer. The picture below shows what the desktop looks like after infection.



Figure 1 Instructions Screen

This malware also does not support 64-bit systems, and it instead displays an error, shown in the figure below, when we try to run it.



Figure 2 No support for 64 bit systems

Before the malware performs its malicious locking behavior, it first checks the following registry key’s ‘Shell’ value and matches to the string ‘explorer.exe’

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

On WinXP x86, the registry key reads “Explorer.exe” and the malware fails to match the desired string and skips modifying the registries. The lock, however, is fully functional on a Win7 x86 system.

After the user clicks the “Get Password” button, the PC locker malware opens the user’s default browser and attempts to connect to the survey website. However, this website is no longer accessible. We queried the history of the domain and discovered that it has actually not been active for over two years, as shown below. Given that this malware is new, and the website it tries to connect to has been inactive for a long time, we suspect that this may mean that the malware author(s) is only testing this new variant, and it’s not ready to be officially released.



Figure 3 Domain History

Although the survey website is down, after digging through the code we were able to easily retrieve the hard-coded password, as shown in figure 4, below. The malware is written in .NET.

Figure 4 Password to Unlock

By entering the hard-coded password (“london1969paris”) in the box “Enter password here,” and clicking “Unlock,” the instruction window immediately disappears from the screen.

Clicking the “Administrator” button causes an administrator login window to open, as seen below.

Figure 5 Admin Login Window

The administrator’s username (“pchip2012”) and password (“s2m2sug1”) are also hard-coded into the malware, as follows:

Figure 6 Administrator Username and Password

After filling in the username and password fields with the data uncovered in the malware code, the PC Locker 3.1 – Administrator control panel pops up. The figure below shows that it has three features: “Restore registry,” “Log off,” and “Close”.

Figure 7 Administrator Control Panel

Conclusion

This locker demands users to fill out a survey, as opposed to making a traditional BitCoin payment, and presumably, that data could be used to profile the users. It is also currently only fully functionality on select systems. However, we suspect that this new locker family may return in a more dangerous version in the near future, and will likely be able to do some real damage. The ART team will continue to track the development of this family and share information once new discoveries are made.

Sample Information

MD5: 4a22dbd324ed792dcae63ec3712af358

SHA256: e2443fd6f39fb846c09807a6e56797c52b8c723e7bc0a7a747d8682e8ebee7fd

Fortinet AV Detection Signature:  W32/PCsurveyLocker.HK!tr

Show more