Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.
The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.
Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.
HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.
As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.
Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.
Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication.
Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.
How HavanaCrypt Works
HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.
The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.
Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.
HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.
"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."
With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."
The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."