FuckUnicorn: ransomware disguised as an Immuni app

(To Davide Lo Prete)

The global health emergency has created numerous opportunities to spread cyber offensives. The health infrastructure, also considering the attacks perpetrated against the World Health Organization (WHO), has proved to be a sensitive target. Italy has not been immune to these attacks.

On May 25, CERT-AgID revealed the existence of ransomware disguised as an anti-Covid app. JAMESWT researcher discovered a malspam campaign through which hackers "invite" to download the malicious IMMUNI.exe file that contains the ransomware FuckUnicorn.

In the email, citizens are invited to download the executable on a site emulating that of the Federation of Italian Pharmacist Orders. The domain of the site created ad hoc is in fact "fofl", while that of the Federation is "fofi", which makes the scam more credible.

Once opened, the ransomware opens a fake dashboard with the results of the Covid-19 contamination, emulation of that created by the Center for Systems science and Engineering (CSSE) of Johns Hopkins University. In the meantime, the files available on the computer are encrypted and renamed to ".fuckunicornhtrhrtjrjy". Once this is done, a ransom note of € 300 payable in bitcoin appears in exchange for releasing the data.

The CERT-AgID reported in detail how the ransomware works. It uses the AES CBC algorithm and a randomly generated password that is shared with command and control (C&C) and reachable at http: // 116 [.] 203 [.] 210 [.] 127 / write.php. The search for files is done in the folders:

  • desktop

  • Links

  • Contacts

  • Documents

  • Downloads

  • Pictures

  • Music

  • OneDrive

  • SavedGames

  • Favorites

  • Searches

  • Videos

And it concerns the extension files: .txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg,. png, .csv, .py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb , .ico, .pas, .db, .torrent "

CERT-AgID has communicated that for the moment no transactions have been registered on the cryptocurrency account indicated by the redemption request.
Ransomware, together with phishing emails, are increasingly used by criminal hackers, as they are easy to use tools.

How to counter these attacks?

In 2016, Europol's European Cybercrime Center launched an initiative in collaboration with the National High Tech Crime Unit of the Dutch police and McAfee to help victims recover their data without having to pay criminals.

The initiative, No More Ransom (NMR), also aims to prevent attacks by educating users on possible countermeasures to be adopted. In particular, on the website of the initiative (https://www.nomoreransom.org/it/prevention-advice.html) the following measurements are shown:

  • Back up your data, "so that a ransomware infection cannot destroy your data permanently" The best thing is to create a back-up to be saved in the cloud and one to be physically saved.

  • Use robust antivirus software.

  • Keep the software updated on the computer, through the installation of new versions of the Operating System

  • Do not open email attachments from strangers

  • Allow the “Show file extensions” option in the Windows settings, which makes it easier to find malicious files.

The IMMUNI app has been and still is the subject of great debate for potential data protection vulnerabilities. However, even before the launch of the tracking application, hackers have already identified possibilities of illicit profit both economically and from a data point of view.






Images: web / CERT-AgID