TFlower Ransomware infects users via exposed unpatched RDP services

Initial infection vector for this malware appears to be through exposed, unpatched Remote Desktop services, but can also include email spam and malicious attachments, deceptive downloads, botnets, malicious ads, web injects, fake updates and repackaged and infected installers. Once a malicious actor infects a system, they may attempt to move laterally across the network through tools such as PowerShell Empire, PSExec, etc.

The malware will initially contact a Command and Control(C2) server to indicate its readiness to encrypt the contents on the target system. It will then delete shadow copies and disable recovery features in Windows 10 and create persistence by adding a key in the logged in user’s software registry hive. It will encrypt files and mark them by inserting the string “*tflower” at the beginning of the file but will not change the filename.

Finally the malware will update the C2 server and leave a ransom note named “!_Notice_!.txt” placed throughout the computer and on the Windows Desktop.

TFlower is still being researched, so it is not known at this time if there are any weaknesses in the encryption that could allow a user to get their files back for free.

Ransom Note Text

IMPORTANT NOTICE THAT IS URGENT AND TRUE
          =================================================================

Dear Sir/Ma,

Sorry to inform you but many files of your COMPANY has just been ENCRYPTED with a STRONG key.
This simply means that you will not be able to use your files until it is decrypted by the same key used in encrypting  it.

TO get the DECRYPT TOOL for your COMPANY, you have to make payment to us so as to recover your files.

                                    NOTE
        ======================================================================

You may upload 1 of your encrypted files to test the decryption for free.
But, the file should not contain any valuable information.

E-MAIL Address:=>>

[email protected]
[email protected]

IOCs

Hashes:

6c75998580fb05c01b10f4703299ffd782bec55c8765c030b8a4760fff6045fe

Associated Files:

!_Notice_!.txt
chilli.exe

Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "proxycap"="[path_to]\[ransomware].exe"

Associated Email Addresses:

[email protected]
[email protected]

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: