Welcome to the Age of Node.js-Based Cross-Platform Malware
In this case, Ransom32, once surreptitiously installed, encrypts the user files on the computer, so they can’t be accessed until a fee is paid, in Bitcoin.
Thus far, this ransomware has propagated through traditional methods, namely through spam email that includes the software as an attachment, usually craftily named to get the user to click on it. Once that happens, the software, contained within a self-extracting WinRAR file, will install itself on the user’s machine such that the malware executes every time the computer boots.
The package also includes a Tor client to communicate with a back-end “command-and-control” server via port 85, to handle duties such as transmitting the key that encrypted the user data, specifying that address to submit the ransom.
“Files are being encrypted using AES with a 128-bit key using CTR as a block mode. A new key is being generated for every file. The key is encrypted using the RSA algorithm and a public key that is being obtained from the C2 server during the first communication,” Wosar wrote, noting the quality of the package indicates that Ransom32 is a professional job.
Like an increasing amount of malware today, Ransom32 is actually offered as a sort of ransomware-as-a-service, pointed out Softpedia in an article about the attack. Customers can customize their own versions of the software through a Tor network “Dark Web” portal. The software’s authors take a 25 percent cut before forwarding the rest of the ransom to its customers.
Traditionally, such malware has been written in languages such as C++, Softpedia noted. But NW.js offers the advantage “of packing the runtime and your NW.js into one single executable. So you don’t rely on the user having some kind of existing framework installed,” Wosar told Softpedia.
What makes Ransom32 especially problematic is that because it includes NW.js, a legitimate program, it has been difficult for anti-malware software and service providers to develop a signature to identify the malicious package.
“Hackers are fundamentally pack animals and when they see something working it inevitably gets replicated by others. So it’s nearly a certainty we’ll see more of these types of attacks throughout 2016, assuming the perpetrators see a reasonable financial yield,” wrote Richard Greene, CEO of the cloud-based cyber security technology company Seculert, in an e-mail. “What will be interesting to see is what type of features the copycats will add that will make it even more dangerous than the variants currently in circulation.”
Images from Emsisoft.