When URL Shorteners and Ransomware Collide

Posted: January 13, 2016 by Malwarebytes Labs
Last updated: March 31, 2016

We are all very familiar with URL shortening services, which are regularly used in Tweets and other social media. It is no secret that cyber criminals also use URL shorteners to aid them in achieving their objectives. URL shorteners are often used by cyber criminals to obfuscate redirects to malicious destinations.

Recently, a URL shortening service was used to shrink a dubious link, obfuscating a malicious destination:

46(dot)30(dot)45(dot)39/Statement.jpg

which was actually a malicious script dowloader “Statement.js”, dropping Cryptowall from

46(dot)30(dot)45(dot)39/yyo.w

Cryptowall is Ransomware which encrypts files on your computer and demands that a ransom be paid in order to receive instructions (private key) for decrypting your files (in this case, RSA-2048 encryption was used).

Shortened malicious URL: [url]/1|Qblabla –> hxxp://46(dot)30(dot)45(dot)39/Statement.jpg = Statement.js (malicious script downloader).

This slideshow requires JavaScript.

Statement.js –> executable yyo.w (Cryptowall) from 46(dot)30(dot)45(dot)39/yyo.w

The URL shortener service disabled the shortened URL, but the IP identified was still serving up Cryptowall at the time of this write-up (Cryptowall file from 46(dot)30(dot)45(dot)39/yyo.w and subsequent communication shown above.

During post-infection, the victim is provided with details about what just happened, and a short explanation about encryption. They’re also given the steps needed to in order to get the files decrypted. Finally, they provided details about the specific homepage crafted for them and instructions for downloading and installing the Tor browser.

The text reads as follows:

Cannot find the files you need? Is the content of the files that you have watched not readable? Is it normal because the files names, as well as the data in your files have been encrypted.

Congratulations!!! You have become a part of a large community #Cryptowall.

Your files have been encrypted with 5he Cryptowall software; the instructions that you find in folders with encrypted files are not viruses, they are your helpers. After reading this text 100% of people turn to a search engine with the word Cryptowall where you'll find a lot of thoughts, advice and instructions. Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore your files with the third-party tools can be fatal for encrypted files.

In case if these simple rules are violated we will not be able to help you and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that comes fitted with it) is a paid product. After purchasing the software package you can 1) Decrypt all your files 2) Work with your documents 3) View your photos and other media content 4) Continue your habitual and comfortable work at the computer

IP details:
IP Location: Russian Federation Russian Federation Moscow Eurobyte Llc
ASN: Russian Federation AS35415 WEBZILLA Webzilla B.V. (registered Aug 03, 2005)
Resolve Host: vz110372.eurodir.ru
Whois Server: whois.ripe.net
IP Address: 46.30.45.39
Reverse IP: 1 website uses this address.

Ransomware is nothing new but cyber criminals are constantly coming up with tradecraft to stay one-step ahead of of the security industry. This short blog is not meant to single out a specific URL shortener service nor is it meant to be a high-level analysis of Cryptolocker. This blog is more focused on arising awareness when dealing with shortened links.

There are precautions that can be taken to avoid clicking on a malicious shortened link, such as not clicking on a shortened link if you do not know who it is from. If you want to take additional measures, there are services that unshorten shortened URL’s such as

checkshorturl(dot)com

Furthermore, it is highly recommended that you use anti-virus and anti-malware in conjunction for the best possible protection. Malwarebytes Anti-Malware protects users from this attack, including blocking identified malicious IPs and domains associated with Ransomware.

Zynthesis

COMMENTS

Ofelia

Wait, now I’m confused. I’ve heard of ransomware scams (scamsomeware?) where it’s like malicious JavaScript/a popup saying your computer has been locked to scare you into downloading their crapware/paying them/whatever but they haven’t actually touched your files (sort of like the fake virus warnings to scare people into downloading rogue AV software), and you can just get rid of it by force quitting your browser and making sure you don’t restore tabs/windows when you reopen it, but there are ones that actually encrypt your files? (sorry if this is a really dumb question.)
Djordje Lukic

Yes, there are ransomware infections that infect your PC by encrypting your files like the one in this blog post above. On the other side there are fake warnings telling you that your PC is infected, trying to trick you to call a number so that their fake support team can help you, by showing you some errors that are actually normal on every computer. Such fake warnings often appear on compromised websites, so the only logical step is to close your browser.
James

Yes, they are pretty much all I deal with every day.
Pingback: Weekendowa Lektura 2016-01-16 – bierzcie i czytajcie | Zaufana Trzecia Strona()
MlwrHpstr

The objective of this threat vector/method (obfuscate the destination) is to use a service to shorten and obfuscate a malicious destination (URL), in this case containing a malicious down-loader that downloads the cryptowall ransomeware. That is why it is imperative that you do not click on shortened links unless you trust the source or unshorten the link to view the destination. Also ensure you are using anti-virus and anti-malware protection as well. This is still occurring, and I have analyzed several other ransomeware threats in the last few days that are using this same method via services that shorten URLs.
Romney_voter

I once clicked on a picture that had no link. pretty sure that was what it was.
Manfred Rank

How can I recognize a shortened URL?
SchroedingersDog

How does a jpeg turn into an executable?
MlwrHpstr

The Statement.jpg discussed above is actually a malicious down-loader, when the script is executed it downloads the Cryptowall file. It is used as an obfuscation technique by threat actors, as is the short URL infection vector.
Eric Brightwell

Hover over the link and review the URL which appears at the bottom of your browser ( IE 11 )
Alternatively, search for the link in google and check the site report provided by your AV software ( eg McAfee Netprotect )
Colonel Gunter Brumm

I got screwed by this thing. Had to cough up 1000 bucks in bitcoin.
They did send the decryption key as they promised. Even encrypted my external hardrives.
I tried everything then just paid.

I know a lawyer whos whole small firms data got ransomed by the same thing. They paid and he got it all back. Took days to decrypt
carol texas

Very real. When I worked in a computer repair shop we even had a customer bring it in to get rid of one of these scams.. and he put it on his credit card when he clicked… we cleaned it all up and the idiot came back 3 days later because he did it again on the same site. Some people will click on anything, open unknown things. Got to be observant. If you think it’s bad news it probably is.. so don’t do it. As the old saying goes, “If it ain’t broke, don’t fix it!”
MlwrHpstr

Sorry to hear that. Ransomware threat actors are constantly changing their trade-craft in order to exploit victims. One week they will use short URLs and the next they will use spam emails with malicious documents all with the same intent, to get victims to fall for their evil ploy of either clicking that unknown link or opening up that malicious file. I highly recommend that everyone use Anti-Virus and Anti-Malware in conjunction for increased security.
MlwrHpstr

It is highly imperative to have great situational awareness when reading suspicious emails, or when thinking about clicking on that link. In our current times you don’t even have to click on anything and can still end up being infected. You surf to a site, and in the background your flash player gets exploited, you get redirected all over the place and the next thing you know you are infected, when all you wanted was to buy new Adidas. Along with Anti-Virus and Anti-Malware, I highly recommend Malwarebytes Anti-Exploit product, which protects your browser, browser add ons, and media players from exploit flaws/vulnerabilities. It has other protection features as well.
carol texas

If only people would really pay attention when they read the words of the experts, but unfortunately it’s like the elderly with phone scams… media coverage about the dangers just don’t register. Now that computers are so important in schools the warnings should start in PreK.
MlwrHpstr

Malwarebytes has a new product called Malwarebytes Anti-Ransomware (Beta), for adding yet another layer of protection against Ransomware!!
Kitlia Steele

Don’t forget that regular backups of information to cold storage or the cloud are highly advised. Or if you REALLY want to be secure, do that plus use a VM for your external needs and have the VM software take regular snapshots so you can simply reverse the changes.
Kitlia Steele

The .jpg extension is just pure information, it doesn’t change how things operate in the code. When the OS sees “.jpg” usually the first thing it does is want to load it with the image loading software associated with it. Same goes for “.exe” or any other extension. It does not change the file itself, it’s just a simple extension rename. Or in other cases, you can actually embed files in JPG images.
Kitlia Steele

Whenever I go out on a support call and find a client has done such a thing, I educate them on the risks and implications of falling for such a thing. I openly offer that if they’re unsure to always give me a call so I can verify if it’s trusted or not. And I don’t charge a penny for helping others who want to be safe about their browsing habits. Ransomware is nasty, and I’d rather not see that poor old lady lose her precious files because I would have charged her for advice. I even show them examples of what to look for.
happy texan

That’s the way we did it too… no charge. “Freebie” advice by phone, on a call or drop in the shop. Some of the best advertising is word of mouth. It’s also the right thing to do. Feels good, too.
Kitlia Steele

I also try to recommend Linux based on usage. Works great for senior citizens who do nothing but access the web. Easy on maintenance and better on security, it simplifies their life. The way I provide support is try to make sure they don’t need to come back, because they’ll have no problems. And that follow up call a couple weeks later saying they had no issues and everything works better before really makes it worth it
CaesarXL

Is Check Short URL Malware? When I try to unshorten a link, a popup from Malwarebytes Anti-malware says blocked malicious website, www(dot)tradeadexchange(dot)com
CaesarXL

Nevermind, it is probably just an advertisement on that page

RELATED ARTICLES

Malware | Threat analysis

Anonymizing VM Traffic (Introduction)

April 24, 2012 - WARNING: The information included in this tutorial could be used for malicious purposes in the wrong hands, please expect to be yelled at by people who think you are a bad guy if you start talking about this or asking questions. Also, please use responsibly. Hello everyone! Today I am going to give a detailed...

CONTINUE READING 2 Comments

Tor Successfully Configured Browser Window

Malware | Threat analysis

Anonymizing Traffic for your Host System

April 24, 2012 - Security Level: Light Purpose: To hide who you are while performing research through your browser. Benefits: Hide your IP Easy to set up Can be run off of a USB stick Drawbacks: Drive-by attacks can still lead to the infection of your host system. Can only hide traffic going out of HTTP port(s). Not meant...

CONTINUE READING No Comments

Malware | Threat analysis

Anonymizing Traffic For Your VM

April 27, 2012 - Security Level: Medium Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks. Benefits: Hide your IP Protect the host system by running in a virtual environment Execute malware in a safe environment (non-traffic capture) Drawbacks: Not as easy to setup Need to gather...

CONTINUE READING 2 Comments

Malware | Threat analysis

Anonymizing Traffic for your VM And Capturing Traffic

April 27, 2012 - Security Level: High / Hardcore Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks AND being able to perform dynamic malware analysis and capture malicious traffic moving between the malware and the C&C. (Whew, that’s a lot of ANDs. =D) Benefits: Hide your...

CONTINUE READING No Comments

Malware | Threat analysis

You can’t buy happiness but you can advertise it!!

May 22, 2012 - Since December of 2011, the spread of malicious advertisements, or “Malvertisements”, has drastically increased. Along with this trend is the increased spread of some pretty nasty malware. One in particular is called Happili, an adware trojan that installs a browser extension to re-direct legitimate search queries to ad sites.

CONTINUE READING 2 Comments

ABOUT THE AUTHOR