Panama Canal Expansion To

Brazilian information


TeamXRat: Brazilian cybercrime meets ransomwareBrazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the ransom.

The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.

Actually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.

In this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch.

The group behind the attack

The group identifies itself as “TeamXRat“and “CorporacaoXRat“.
(Translating from Portuguese to English as “CorporationXRat”)

Their first ransom trojan consisted of using a simple XOR based encryption, described by some victims here (most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals behind it have improved the code to make it more complex, also switching the encryption scheme.

The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For example, corporacaoxrat@mail2tor.com, xRatTeam@mail2tor.com and xratteam@email.tg providing the public key used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts from another Email service – Protonmail, such as corporacaoxrat@protonmail.com, currently deactivated.

TeamXRat: Brazilian cybercrime meets ransomwareWhen the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in Portuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is a “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you increase your security”. Finally, the cybercriminals also offer to decrypt one file for free:

“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make the donation; otherwise, you’ll lose all your files”

Xpan, how it works

The sample is UPX packed. Once executed it checks the default language of the infected system set in the following registry key: HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

In addition, it’s able to query local time and obtain the computer name from the registry using several commands like net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located in: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP.

Since the targets are companies and corporations, the group might use proxies blocking access to certain Web resources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or accessing BTC resources online.

TeamXRat: Brazilian cybercrime meets ransomwareAfter completing its execution, the ransomware displays the following image in the affected system:

“All your files were encrypted using a RSA 2048 bits encryption”

The sample is written in C++ and uses STL, being built as a console application. During the lenght of its execution, it logs all its actions to the console, only to clear it once the encryption process has finished.

The operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:

Decrypted configuration block

The configuration contains the following details:

  • Drive letters which will be processed;
  • Blacklisted substrings: the files whose path contain any of these strings will not be encrypted;
  • Ransomware text message for the victim;
  • Extension of the encrypted files (in this case.____xratteamLucked);
  • Name of the file with ransom notes;
  • Console commands to be executed prior to the process of file encryption;
  • Console commands to be executed after the encryption;
  • A public RSA-2048 key in the MSBLOB format.

Part of the pseudocode of the main procedure

From Xorist to Xpan

A previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple encryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version (dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption scheme.

Xorist ransomware TEA constant

Xpan ransomware now has evolved to use AES-256 encryption

Xorist Xpan
Will automatically start when user is logged in. It uses the following registry key for persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run No persistence used.
Tiny Encryption Algorithm AES-256
ASM, MS Linker C++, MinGW compiler
Includes a list of files that are to be encrypted. Will encrypt everything except .exe and .dll files and files with blacklisted substrings in the path.

The developers have clearly shifted their development procedures in the Xpan malware. It’s typical for cybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that specific variant is widely detected.

List of file extensions that Xorist ransomware will search and encrypt

File Encryption

The trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are encrypted by AES-256 in CBC mode.

There are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses “___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).

These 2 versions employ different techniques to encrypt the files, which we will describe in more detail.

TeamXRat: Brazilian cybercrime meets ransomware TeamXRat: Brazilian cybercrime meets ransomware TeamXRat: Brazilian cybercrime meets ransomware TeamXRat: Brazilian cybercrime meets ransomware


Share this article




FAQ


avatar
Is Brazil really that dangerous? | Yahoo Answers

I've heard from the Lonely Planet Brazil travel guide that cities like Rio De Janeiro and Sao Paulo are crime ridden cities. Based on your experiences (if you have been to Brazil), what can you say about this issue? How do you survive those bad hangovers criminals give you? Any suggestions? Thanks!

I've heard from the Lonely Planet Brazil travel guide that cities like Rio De Janeiro and Sao Paulo are crime ridden cities. Based on your experiences (if you have been to Brazil), what can you say about this issue? How do you survive those bad hangovers criminals give you? Any suggestions? Thanks!




Related Posts


Countries of Brazil
Countries of Brazil
Lisbon Portugal Travel Guide
Lisbon Portugal Travel Guide
Portugal Resorts Guide
Portugal Resorts Guide

Latest Posts
Round trip ticket to Brazil
Round trip ticket…
I came across a low fare ticket to Brazil…
Conde Nast Best Beach Resorts
Conde Nast Best…
Palm Beach has done it again. Conde Nast…
Lisbon Tourist information
Lisbon Tourist…
Getting around the city If you don t…
Algarve tourist attractions
Algarve tourist…
Although the bridge itself is not Roman…
Best Time to Visit Lisbon
Best Time to…
How about: Lisbon Intro > Main…
Search
Featured posts
  • Countries of Brazil
  • Lisbon Portugal Travel Guide
  • Portugal Resorts Guide
  • Portugal Accommodation Guide
  • Cheap Brazilian
  • Brazilian flights
  • Portugal Guide Books
  • Where is Portugal?
  • English language in Brazil
Copyright © 2017 l www.brazilianportuguesetranslatorinsandiego.info. All rights reserved.