TorrentLocker

[Aerosol]

1. Executive summary 3
2. Introduction 4
3. Infection vector 5
3.1 Download page 6
3.2 CAPTCHA 7
3.3 Word document with VBA macros 8
4. Overall scheme 9
5. Malware analysis 11
5.1 Obfuscation 11
5.1.1 Dropper 11
5.1.2 Launcher 12
5.2 Local store 12
5.3 SMTP credentials and address book stealing 13
5.4 Network protocol 13
 5.4.1 Choosing a C&C server 13
 5.4.2 Communication protocol 14
 5.4.3 Victim identification code generation 15
5.5 Cryptography 16
6. Decryption software analysis 18
7. Similarity with Hesperbot banking trojan 19
7.1 Malware distribution page similarity 19
7.2 C&C server reuse 19
7.3 PDB path 19
8. Statistics 21
8.1 Methodology 21
8.2 Results 21
9. Conclusion 24
10. Acknowledgement 25
11. References 25
12. Appendixes 27
Appendix A: Screenshots of CAPTCHA-enabled download pages 27
Appendix B: List of known domains hosting download page 31
Appendix C: List of known Onion URLs delivering payment information 35
Appendix D: Domains in TorrentLocker DGA 36
Appendix E: List of file types encrypted by TorrentLocker 37
Appendix F: List of hardcoded keys 38
Appendix G: List of samples 39

Read more here: http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf