Remote Attack Cryptocontainer Vulnerabilities

    Today, cryptocontainers are used to store confidential information both on users' personal computers and in the corporate environment of companies and organizations and can be created using almost any encryption program. Their wide distribution is due, first of all, to the convenience of working with encrypted files and the possibility of implementing "encryption on the fly."

    However, not all users realize how vulnerable files become in the cryptocontainer after it is connected as a logical drive of the operating system and how easy it is to steal them from there. This was the reason for writing this article, which, using a specific example, will show how to steal information placed in a cryptocontainer created using TrueCrypt encryption program, which is practically a cult in RuNet. However, the same is true for any other program that allows you to create cryptocontainers and does not have other additional functions to protect the encrypted data stored in them.

    image

    Let's look at the following example. Suppose there is a certain AAA organization that stores valuable information on its server (which is used as a regular PC), which several employees of this organization have access to. Confidential files are stored in a cryptocontainer created using TrueCrypt. In order for employees allowed to this information to be able to work with it throughout the whole working day, the cryptocontainer is mounted at the beginning (for example, by the system administrator of this organization) and dismantled at the end. The company's management is confident that, since their confidential files are stored on the cryptocontainer in an encrypted form, they are reliably protected.

    In order to understand the dangers threatening this organization, let us briefly imagine ourselves in the role of a not-so-honest rival company, BBB, which wants to acquire AAA's confidential information. You can implement your plan in several stages:

    1. Download DarkComet RAT- a hidden remote administration utility that was officially created for the legitimate management of a remote system. It’s hard to say how pure the thoughts of Jean-Pierre Lesier, the developer of DarkComet, were. Perhaps, just as Albert Einstein could not imagine at one time that the atomic energy he discovered would first find practical use in the atomic bomb, he also did not expect that his development would soon be effectively used by hackers around the world, and the Syrian government, for example, was using program against the opposition in the Syrian conflict .

    DarkComet has many functions:
    - file manager;
    - manager of open windows, running tasks, active processes;
    - management of startup and services;
    - remote registry management;
    - the installing and deleting of programms;
    - capture control of a remote machine using VNC technology;
    - taking screenshots from a remote screen;
    - interception of sound from a microphone and video from internal or external cameras, etc.

    Of course, all this allows you to use DarkComet as an excellent spyware program and turns it into a powerful weapon in the hands of cybercriminals. Despite the fact that the creator of DarkComet RAT decided to close his project, its development can still be freely downloaded on the network.

    This is what the main program window looks like:

    image

    2. After downloading and installing the program, you will need to start hosting, on which we will download files from the victim’s computer.

    3. Using DarkComet, create an exe-file (stub) that will infect the victim's computer ( DarkCometRat> ServerModule> FullEditor ). In Network Settings, we register the previously created host and set other necessary settings (more details here ). Or we order the creation of such a file on the exchange (approximately $ 100).

    image

    4. Naturally, the executable file created in DarkComet RAT is detected by antiviruses as malware, therefore, to successfully infect the victim’s computer, we need to encrypt it using a cryptor (or order for $ 50-100). Using the cryptor, the source file of the program is encrypted, and a code is written to its beginning, which, when launched, decrypts and starts the main program. Encrypting the program, the cryptor protects it from all the most famous antiviruses and signature search methods.

    5. Make sure that anti-virus programs do not regard the encrypted file as a virus. The check can be done on VirusTotal , for example:

    image

    In this article, we do not directly upload the encrypted file, so that there are no charges about the spread of viruses, in particular, from the Habr administration. However, if someone wants to make sure that at the time of creation the exe file was not really regarded by antiviruses as a virus, we can give a link to it and you will see for yourself by comparing the hash amounts in the video and on the file.

    6. Now we need our virus to get on the victim’s computer. There are many different ways to do this.
    For example, a computer may be infected by email. During the working day, dozens and even hundreds of emails come to the corporate mail of employees. Of course, such a flow of correspondence does not allow paying due attention to each letter, and most employees relate to processing messages such as transferring papers from one bale to another, which greatly facilitates the implementation of attacks. When an attacker sends a simple request by mail, his victim very often on the machine does what they ask, without thinking about their actions.

    This is just one example. Any other methods of social engineering based on the characteristics of human psychology can be used .

    7. As soon as the virus enters the victim’s computer after opening the executable file, the attacker gains full access to the attacked computer. As you know, any application that accesses an encrypted file located on a connected cryptocontainer receives a copy of it in decrypted form. The DarkComet file manager will be no exception - with its help you can copy any information from the cryptodisk.

    image

    All files we receive in decrypted form, they are available for reading and editing. After that, you can use them to your advantage. By the way, here is another drawback of cryptocontainers - their large sizes are hundreds of megabytes, which greatly simplifies the task of a cybercriminal to search for protected files.

    That's all. Confidential information is copied and compromised, a competing company can use it for its own mercenary purposes, and the attacked organization does not even suspect data theft.

    The process of stealing information from the TrueCrypt cryptocontainer is more clearly demonstrated in this video:



    Conclusion


    The cryptocontainer provides reliable information protection only when it is disconnected (dismantled); at the time of connection (mounting), confidential information from it can be stolen and the attacker will receive it in decrypted form. Therefore, if a cryptocontainer is still used to store valuable data, it should be connected for minimum periods of time and disconnected immediately after completion of work.

    CyberSafe


    In CyberSafe Files Encryption, to enhance security, we have added the Trusted Application System , which is described in detail in this article . The bottom line is that for the folder in which the encrypted files are stored, using CyberSafe, an additional list of trusted programs that can access these files is assigned. Accordingly, all other applications will be denied access. Thus, if the DarkComet RAT file manager accesses the encrypted file, another remote administration tool, or any other program that is not included in the trusted group, they will not be able to access the protected files.

    In the event that CyberSafe is used to encrypt network folders, files on the server are always stored in encrypted form and are never decrypted on the server side - they are decrypted exclusively on the user side.

    Also popular now: