Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Halloware Ransomware On Sale Now

leave a comment »

 

I was paging through the new sites on the darknet from the spider and this page popped up. Upon opening it I saw the evil clown and thought RED ROOM but instead it’s a site offering a new-ish ransomware package by a person(s) calling themselves TNCYBERSQUAD or as I later found out a Turk with the handle of LUC1F3R. So the site says you can buy this new and undetected malware for a mere 40 bucks lifetime! They even give a scan on nodistribute that shows the executable not being detected by any of the AV vendors out there now. I poked around the site and checked the page listed in the clown image and found that their landing page for collection on their ransom is not fully operational. I could not get the link to their bitcoin system to work nor would the site render all the images either.

I expanded my search to see if I could use the hash from the nodistribute session and got no love at all on this. Of course the exe and the hash are brand new with the actual dates on the testing and the offerings for this malware being from 11/30 to today. The only problem I have with this is that I cannot verify the sample as something that would not be seen as clean because the hash, when searched turns up absolutely nothing and the executable is not on offer unless you pay them as well as email them. So, this file could be just a lot of nothing in an attempt to scam people into dropping 40 bucks and getting nada.

MD5 HASH: b01230be6e42bf7210ce244ca493a697

I actually put a cutout address into the email on the page and hit send and as yet I have nothing back from luc1f3r at all. In the interim though, I started looking outside the darknet for more and I found some interesting tidbits. First of which is that when you start looking for Halloware you come up with some YouTube videos and links to a site that this seems to have first been posted as a free download. The file downloaded is not the same as the one offered in the darknet and when run in VT comes up as a trojan.

This site is pretty open to just giving up contacts and the malware so I think this is just proof of concept and now they have moved on to application and monetization. I may go down the rabbit hole more on the email addresses and other details there but for now I don’t see this ransomware as a real threat to much of anybody unless the sample gets out and is then used by the masses. When I began looking at the code of the darknet site and links in other places I came up with another site outside the darknet that mirrors the hidden site but has some interesting code.

These guys are collecting IP addresses too

Aanyway, I watched all the YouTube videos and basically Luc1fer shows how you can hide the malware as a file etc in broken english on a text pad. He show’s an IP address too and generally has crappy OPSEC.

 

 

All of this stuff seems predicated on a python script and some manipulation so I am not sure how they claim there is no programming knowledge needed to create the malware but ok dude. I know that ransomware is all the rage but honestly this one seems kinda weak and maybe just a scam. I will keep an eye out for another sample though. Until then you may all want to take that hashes from VT I pasted in above and add it to your systems to detect it. Luc1fer made the rounds today offering the malware and the darknet link on a bunch of shops so maybe people will take em up on it and send out a blast.

I will update if I see more.

Have fun!

K.

Written by Krypt3ia

2017/12/01 at 18:16

Posted in Malware, Ransomware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: