Hexzone coincidentally caught my attention while I was gathering material for my recent article about some emerging ransomware. Hexzone has recently been seen downloading Trojan.Ransomlock, which blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system. For details please refer to Ransomware on the loose..
In this post, I will try to shed light on some missing details about Hexzone. Then I will show Hexzone's relationship with some other known malware, and in the end I will discuss my thoughts on the size of this un-named botnet.
Here is my initial analysis of the Hexzone sample mentioned in Finjan's report. Normally Hexzone resides on the victim machine in the form of a 'Browser Helper Object'. The reason it injects itself into the browser as a plug-in is to hijack the user's browsing sessions in order to blackmail them. Here is how it happens, as the user tries to browse any web page from the infected PC, this plug-in leads the user to a fake page, displaying porn contents. Along with porn contents a message is displayed in the Russian language.
Translated from Russian:
"to delete (porn contents) select country and sends code 3981134 to room number (different for each country)."
As I explained in my last article, these SMS codes use paid "rooms". These "rooms" have a concept like 1900 numbers where it costs money to phone in. Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.
Another shocking fact was that this page listed seven country names along with corresponding SMS room numbers. Our initial observation that this SMS based ransom is only being used within Russia no longer holds true.