SpriteCoin: Another New CryptoCurrency…or NOT!
January 2018 by Fortinet
Fortinet FortiGuard Labs has come across a ransomware that only accepts Monero – an open source cryptocurrency created in 2014 – for payment, signaling a shift away from the widely used and accepted standard Bitcoin in the ransomware space. Ransomware authors are aware of current trends and events, and appear to be taking advantage of all the hype surrounding the cryptocurrency craze.
This latest ransomware not only asks for payment via Monero, but also pretends to be a cryptocurrency-related password store. The malware masquerades as a “spritecoin” wallet, asking the user to create their desired password, but does not actually download the block-chain, but it does secretly encrypt the victim’s data files. It then demands a ransom in Monero cryptocurrency in return for decrypting the victim’s data. The file (also seen in the wild as spritecoind[.]exe) is UPX packed for simple evasion. It displays the typical ransom note of “Your files are encrypted,” and asks for a sum of 0.3 Monero – which is equivalent to $105 USD at the time of writing.
During our analysis, we have seen indicators that the sample appears to have an embedded SQLite engine. This leads us to believe it is using SQLite to store harvested credentials. The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with an .encrypted file extension (eg: resume.doc.encrypted).
Adding insult to injury, during the decryption phase another piece of malware is deployed with capabilities including certificate harvesting, image parsing, and web camera activation.
Kill Chain Analysis
Below is a quick kill-chain analysis of the SpriteCoin Ransomware threat.