Tox: Free Ransomware Toolkit Hits the Black Market

Thursday, June 04, 2015

Anthony M. Freed


Do-it-yourself malware toolkits have been available on the black market for a long time, but now researchers have discovered the first ransomware variation for creating your own extortion campaigns – and it’s free to use.

The toolkit, called “Tox,” allows would-be attackers to design their own personalized ransomware attack tool with advanced evasion capabilities, and the research team has confirmed that the malware performs as advertised by the developers.

“Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this,” the researchers noted.

Tox employs Tor and allows the attackers to collect their fee for unlocking the maliciously encrypted files of targets in bitcoin, providing the attackers with a level of anonymity in their operations.

Users simply enter the amount of the ransom demand through the Tox GUI, define their “cause” if desired, enter a captcha code – ostensibly for security reasons – and they can begin their assault, with the developers of Tox taking a 20% cut of the ransom collected.

“This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox ‘customers’ distribute and install as they see fit. The Tox site (on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address,” the researchers said.

“Upon execution, the malware encrypts the victims’ data and prompts them for the ransom, including the Bitcoin address for sending payment.”

Ransomware developers continue to rapidly evolve the sophistication of their malware by employing several levels of encryption, using Tor for command and control (C&C) communications, employing droppers that use multiple exploits, and using anti-VM and anti-emulation functionalities which obfuscate the malware when sandboxed.

Though Tox was described as lacking complexity and efficiency within the code, the researchers believe Tox is the beginning of a new trend in ransomware development that will certainly yield more advanced variations.

“We don’t expect Tox to be the last malware to embrace this model. We also anticipate more skilled development and variations in encryption and evasion techniques.”

This was cross-posted from the Dark Matters blog. 

Operating Systems SPAM Viruses & Malware General Impersonation Phishing Phreaking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.