In the vein of fake computer lockers everywhere, such as the Trojan.Ransomlock, Trojan.Fakeavlock, and Trojan.Winlock families, comes Trojan.Shadowlock. Unlike any of its predecessors however, this malware “encourages” users to fill out an online survey instead of outright demanding an online payoff. Online surveys in general return very little money, but they do eventually add up in the long run. In this case, it turns out the malware author has a sense of humor and left in a certain Easter egg for reverse engineers to find. The Easter egg is a sound bite of the famous five-tone motif from the movie Close Encounters of the Third Kind. The sound is iconic and has been used many times in all kinds of media. In this case, the malware author decided to implement it as part of the way the malware compromises the user’s computer.
Once executed, the user will be shown a popup box.
Figure 1. Popup box to unlock computer
This box will stay on the screen, but can be moved around. If the user attempts to close the box by clicking the X button, the program interprets this as a failed unlock attempt. Attempts to disable the malware through various tools like Task Manager, Command Prompt, PowerShell, Regedit, or MSConfig will be denied by the Trojan. Even tying to launch a restore point will be stopped by Trojan.Shadowlock. After three failed attempts to input the unlock code, the threat will shut down the system. Once the user restarts their computer, the popup box will return after 20 seconds. This provides the user 20 seconds to utilize the previously mentioned tools to neutralize the threat. It seems that this particular malware author is not that destructive. If the user chooses to take the survey, they will be presented with a list of different surveys to choose from.
Figure 2. Survey list
A closer look at the code reveals a few interesting tidbits. One, it has been created using .NET and requires at least version 2.0 of the .NET framework to be installed in order to function properly. By reviewing it with a .NET decompiler, we can see the inner workings of Trojan.Shadowlock.
Figure 3. Top layer of Trojan.Shadowlock
The top layer of Trojan.Shadowlock deals with decrypting resources. After decryption, upon analyzing the resource Loqvd, we found that it contains several functions including BotKill() and EraseStartup() which are never used by the threat. However, other functions, like ones used to decompress files, are used by the threat. The top layer is used to decrypt all three resources. Afterwards, Loqvd is then used to decompress the decrypted versions of Egg and Iudu resources. The main payload is in the Iudu resource. The author more than likely knows that .NET executables can be decompiled like this and added one more layer in an attempt to make analysis more difficult.
Figure 4. Iudu resource decrypted and uncompressed
Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak. These functions (as well as others) may find themselves being used in a future variant. At Symantec, we protect our customers by detecting this threat as Trojan.Dropper, Trojan Horse, or Trojan.Shadowlock. According to our telemetry, this threat is not widespread. Be advised however, if you see your CD tray opening and hear eerie theme music, you may be experiencing a close encounter of the Shadowlock kind.
Leave a reply