What should a CISO bear in mind before allowing Windows 10 upgrade emails?

MUMBAI, INDIA: Ever since Microsoft launched Windows 10 on July 29, users have been bombarded with emails for free upgrade. But are all these mails genuine?

A new blog post by Nick Biasini, Outreach Engineer with contributions from Craig Williams, Senior Technical Leader, Security Outreach and Alex Chiu, Threat Researcher, Talos Security Intelligence and Research Group (Talos), Cisco Systems, highlights that the email may be a spam, originating from Thailand.

This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update makes them even more likely to fall victim to this campaign.

The trio points out that while the emails are designed to look as if they were coming from Microsoft, the catch in this case are the glaring spelling errors and stray non-English characters.

How to spot the spam?

Look at the From address: The adversaries are spoofing the email to look like it is coming directly from Microsoft (updatemicrosoft.com). However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand.

Color scheme: The attackers are using a similar color scheme to the one used by Microsoft.

Red flags: There are a couple of red flags associated with the text of the email. There are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email.

Disclaimers: The inclusion of a disclaimer message that looks similar to the one a user would receive from an email directly from Microsoft.

Security: A key piece of information added by adversaries that users are becoming more accustomed to seeing: an indication that the message attachment has been scanned by antivirus and appears to be a legitimate file.

This message links to a legitimate open source email filter and will trick some users into thinking the attachment is not malware.

How the malware works:

Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message:

CTB-Locker: The payload is CTB-Locker, a ransomware variant.

Whether it is via spam messages or exploit kits, hackers are dropping a huge amount of different variants of ransomware. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.

CTB-Locker has some interesting features that are different from large scale variants Talos has seen, the writers point out.

First is the type of encryption used: Most variants use RSA asymmetric encryption. CTB-Locker uses elliptical curve encryption which provides the same public/private key encryption, but it’s a different type of algorithm with lower overhead and the same level of security utilizing smaller key space.

Second is the issue of the time window. CTB-Locker is only giving users 96 hours to pay for decryption, which is a shorter window than is standard for most ransomware.

Third difference is related to Command and Control (C2) communication. Recent versions of ransomware are leveraging compromised Wordpress sites to serve as a drop point for information related to the compromised host. CTB-Locker appears to be using hard coded IP addresses on non-standard ports to establish communication. There is also a significant amount of data being exchanged between systems which are largely uncharacteristic for ransomware.

The domains that Talos was able to identify are currently not registered and the samples do not leverage DNS resolution to try to connect to these domains. The majority of the traffic is using ports commonly associated with Tor traffic, which is heavily used for C2 communications.

One final interesting piece is the use of port 21 for communication. This is the port associated with FTP command traffic and therefore likely to be allowed outbound from a network. A quick analysis of the communication shows that it is not actually FTP communication but instead C2 activity.

This malware relies on Tor for Command and Control and therefore does not possess valuable IP information.

How to avoid the spam?

To avoid getting scammed:

• Don't click on any attachments you weren't expecting and be wary of download links in email messages from unknown sources.
• Microsoft is not distributing Windows 10 via unsolicited emails. Instead, users must reserve a copy of Windows 10 which will be automatically downloaded onto their system.
• Back up your computer daily. Once the ransomware is installed, the easiest and cheapest route to deal with it is to clean the machine and install a recent back-up.