Updating malware to make certain it remains effective is a full-time job for many cybercriminals, but the bunch behind TorrentLocker ransomware has taken a decidedly lackadaisical approach.
ESET researcher Marc-Etienne M. Léveillé blogged that the very active TorrentLocker, also known as Crypt0l0cker, has for the most part remained the same since 2014 when ESET did an extensive review of this family of cryptoransoware.
“There are no significant changes in the distribution, C&C infrastructure or malware samples that would indicate it is a different ransomware. We believe the same gang operates it,” Léveillé wrote.
It is still spread through emails containing a link, some social engineering to make the recipient think the email has something to do with a bill or package tracking code. The link leads to a malware-laced document that asks to be downloaded. It also has remained a regional problem.
“While Locky is distributed massively worldwide, TorrentLocker will run campaigns in specific countries, and even avoids to spread in United States. This probably increase their chances to social engineer potential victims to run the malicious executable file and stay as much as possible under the radar,” Léveillé said.
While Locky and other ransomware variants are being constantly tinkered with, this is not always the case, Lysa Myers, ESET security researcher, told SCMagazine.com in emailed comments.
“Malware authors don't expend any more effort than necessary to get their payday, and this has been true as long as malware has been tied to a financial motive. For the vast majority of malware threats, if their existing work is still giving a good return on investment, there is no reason to use additional resources to add more bells and whistles to their threat,” Myers said.
A single group is believed to be behind TorrentLocker, Léveillé said, based on the common infrastructure seen across all campaigns.
It usage rate has also remained steady since the 2014 ESET study was conducted. Léveillé told SCMgazine.com via email that two years ago they saw just less than 700 compromises per day and he expects the numbers to be similar today.
With that said some tweaks have been made. There are now added layers of redirection leading to the malicious file, which now leads to a PHP script hosted on a compromised server. The senders have also added an obfuscated JavaScript file to the payload which is contained in a ZIP file.
The one significant alteration has to do with how it tries to contact its command and control server. Formerly, it tried to reach a hardcoded domain over HTTPS, but that has been switched to a random subdomain.
“What's interesting is that in case of failure, it now falls back on Tor hidden services. A small Tor implementation is statically linked into the binary ensuring it doesn't rely on external dependencies to connect to the Tor network successfully,” Léveillé wrote.
