Fake Google Software Updates Spread New Ransomware

Danger actors are progressively working with fake Microsoft and Google software package updates to consider to sneak malware on goal techniques.

The most current example is “HavanaCrypt,” a new ransomware device that researchers from Trend Micro recently discovered in the wild disguised as a Google Program Update software. The malware’s command and-command (C2) server is hosted on a Microsoft Net internet hosting IP address, which is fairly uncommon for ransomware, according to Trend Micro.

Also notable, according to the scientists, is HavanaCrypt’s many techniques for checking if it is working in a virtual natural environment the malware’s use of code from open up supply key supervisor KeePass Password Protected for the duration of encryption and its use of a .Internet functionality called “QueueUserWorkItem” to pace up encryption. Pattern Micro notes that the malware is probable a work-in-progress for the reason that it does not fall a ransom observe on contaminated units.

HavanaCrypt is amid a developing variety of ransomware resources and other malware that in modern months have been dispersed in the sort of fake updates for Home windows 10, Microsoft Exchange, and Google Chrome. In May, safety scientists noticed ransomware dubbed “Magniber” performing the rounds disguised as Windows 10 updates. Previously this year, researchers at Malwarebytes noticed the operators of the Magnitude Exploit Package making an attempt to fool buyers into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates made use of to be a fixture of Web-dependent malware strategies until eventually Adobe finally retired the know-how for the reason that of protection worries. Considering that then, attackers have been working with fake versions of other regularly up-to-date computer software merchandise to consider to trick customers into downloading their malware — with browsers being one particular of the most regularly abused.

Producing bogus software program updates is trivial for attackers, so they have a tendency to use them to distribute all courses of malware including ransomware, details stealers, and Trojans, states an analyst with Intel 471 who asked for anonymity. “A non-specialized user may possibly be fooled by these approaches, but SOC analysts or incident responders will probably not be fooled,” the analyst states.

Safety gurus have extended famous the will need for organizations to have multi-layered defenses in place to defend from ransomware and other threats. This incorporates getting controls for endpoint detection and response, consumer and entity behavior-monitoring capabilities, network segmentation to limit damage and limit lateral motion, encryption, and sturdy identification and accessibility command — which includes multi-element authentication. 

Due to the fact adversaries often focus on conclusion customers, it is also essential for organizations to have powerful methods in position for educating end users about phishing threats and social engineering cons developed to get them to obtain malware or adhere to backlinks to credential harvesting web-sites.

How HavanaCrypt Operates

HavanaCrypt is .Internet malware that employs an open up-source device known as Obfuscar to obfuscate its code. Once deployed on a technique, HavanaCrypt very first checks to see if the “GoogleUpdate” registry is present on the process and only continues with its plan if the malware establishes the registry is not current.

The malware then goes by means of a four-stage method to establish if the infected device is in a virtualized ecosystem. To start with it checks the process for products and services such as VMWare Instruments and vmmouse that digital machines ordinarily use. Then it seems for files relevant to virtual apps, followed by a check for precise file names utilised in digital environments. Lastly, it compares the infected systems’ MAC tackle with exceptional identifier prefixes typically applied in digital device options. If any of checks demonstrate the contaminated equipment to be in a virtual setting, the malware terminates by itself, Trend Micro said.

As soon as HavanaCrypt decides it can be not functioning in a digital surroundings, the malware fetches and executes a batch file from a C2 server hosted on a genuine Microsoft Internet internet hosting company. The batch file contains commands for configuring Home windows Defender in these types of a fashion that it makes it possible for detected threats. The malware also stops a extended list of processes, numerous of which are linked to databases programs this sort of as SQL and MySQL or to desktop purposes these kinds of as Microsoft Business.

HavanaCrypt’s following ways consist of deleting shadow copies on the infected units, deleting features for restoring data, and gathering procedure information this kind of as the range of processors the procedure has, processor kind, products number, and BIOS variation. The malware makes use of the QueueUserWorkItem function and code from KeePass Password Harmless as section of the encryption procedure.

“QueueUserWorkItem is a regular method for generating thread pools,” suggests the analyst from Intel 471. “The use of thread pools will velocity up encryption of the files on the sufferer device.”

With KeePass, the ransomware creator has copied code from the password supervisor resource and used this code in their ransomware project. “The copied code is utilised to crank out pseudorandom encryption keys,” the analyst notes. “If the encryption keys have been produced in a predictable, repeatable way, then it may well be attainable for malware researchers to establish decryption applications.”

The attacker’s use of a Microsoft internet hosting company for the C2 server highlights the broader trend by attackers to cover malicious infrastructure in reputable products and services to evade detection. “There is a great offer of badness hosted in cloud environments right now, no matter whether it really is Amazon, Google, or Microsoft and several many others,” suggests John Bambenek, principal risk hunter at Netenrich. “The really transient nature of the environments makes track record techniques ineffective.”