BitPaymer Malware was used to target medical institutions via remote desktop protocol and other email-related techniques, momentarily shutting down routine services for a high ransom. Security researchers later published evidence that not only was DRIDEX dropping BitPaymer, but that it also came from the same cybercriminal group.
Trend Micro has a detailed article describing the execution chain of these malware.
Infection Flow
Malware routine can be found on the following virus report:
- Threat Encyclopedia: Ransom.Win32.BITPAYMER.TGACAM
- Security News: Apple iTunes, iCloud Zero-Day Exploited to Inject BitPaymer Ransomware in Windows PCs
Indicators of Compromise
| Hash | Detection Name |
|---|---|
| f8ed1a7ec231cd0aaeee9498541e822133d406d8 | Ransom.Win32.BITPAYMER.TGACAM |
| 47ff3a11ca6f1c088799afaaafadcd46b89f44ac | TROJ_GEN.R011C0WGA19 |
| 94b37a49c91f8bae7817be8892520c8e50ce62d5 | Ransom.Win32.BITPAYMER.TGACAM |
| fea875bee31434f43bba4384cade7bba83af6404 | TROJ_GEN.R007C0PAG20 |
| 66bb444ea7e54b7f6b6a1305bed3556191ceeaf2 | TROJ_GEN.R03FC0DFH19 |
| babcc902eb4fda6824a9f63fea9267e21eb256ae | TROJ_GEN.R011C0PFO19 |
| 3752eaae8633c361a26aa763e2688ecf62c1a61f | TROJ_GEN.R011C0PFI19 |
| bc2b35e453a31cda3b430ff25391c66899981d2a | TROJ_GEN.R011C0RFF19 |
| adf3580cc8115d206ed15a881bb8144dec068b18 | Ransom.Win32.ICRYPT.AG |
| 8abc0909a346553236e05f2fa8c12da7925440d0 | TROJ_GEN.R011C0RFE19 |
| 84b1513647a3c15614741724e4cbec32e7b4af69 | TROJ_GEN.R011C0WF719 |
| 195157993bffdd51e4bd2fe2ac5fcc0971033db7 | TROJ_GEN.R011C0WF219 |
| 233aa2f1d460d9588607933b8cab1844efeff5db | Backdoor.Win32.DRIDEX.THEBCAI |
| SOLUTION MODULES | PATTERN BRANCH | RELEASE DATE | DETECTION/POLICY/RULES |
|---|---|---|---|
| PREDICTIVE LEARNING (TRENDX) | In-the-Cloud | In-the-Cloud | TROJ.Win32.TRX.XXPE50FFF032 |
| FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE) | 15.433.00 | 15/10/2019 | Ransom.Win32.BITPAYMER.TGACAM TROJ_GEN.R011C0WGA19 TROJ_GEN.R007C0PAG20 TROJ_GEN.R03FC0DFH19 TROJ_GEN.R011C0PFO19 TROJ_GEN.R011C0PFI19 TROJ_GEN.R011C0RFF19 Ransom.Win32.ICRYPT.AG TROJ_GEN.R011C0RFE19 TROJ_GEN.R011C0WF719 TROJ_GEN.R011C0WF219 Backdoor.Win32.DRIDEX.THEBCAI |
| BEHAVIORAL MONITORING (AEGIS) | RAN4052T, MALWARE BEHAVIOR BLOCKING | ||
| SANDBOX SOLUTION | VAN_RANSOMWARE.UMXX | ||
| DEEP SECURITY | 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share | ||
| 1007598 - Identified Suspicious Rename Activity Over Network Share | |||
| TIPPINGPOINT | 36513 TCP FBitPaymer Ransomware - Payload Transfer Detection |
Actions to Take:
Make sure that your product software is patched and up to date. Please refer to these KB articles:
- SECURITY BULLETIN: Directory Traversal Vulnerability in Trend Micro Apex One, OfficeScan and Worry-Free Business Security
- SECURITY BULLETIN: Multiple Critical Vulnerabilities in Trend Micro Apex One and OfficeScan
Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.
For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.
