Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims

Alexandr Solad and Daniel Hatheway of Recorded Future are coauthors of this post. Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that the malware developer had placed the ransomware, …

The post Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims appeared first on McAfee Blogs.

Alexandr Solad and Daniel Hatheway of Recorded Future are coauthors of this post.

Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that the malware developer had placed the ransomware, masquerading as a security solution, on the website SuperAntiSpyware, infecting systems that tried to download a legitimate version of the antispyware software.

Kraken’s presence became more apparent at the end of September, when the security researcher nao_sec discovered that the Fallout Exploit Kit, known for delivering GandCrab ransomware, also started to deliver Kraken.

The McAfee Advanced Threat Research team, working with the Insikt group from Recorded Future, found evidence of the Kraken authors asking the Fallout team to be added to the Exploit Kit. With this partnership, Kraken now has an additional malware delivery method for its criminal customers.

We also found that the user associated with Kraken ransomware, ThisWasKraken, has a paid account. Paid accounts are not uncommon on underground forums, but usually malware developers who offer services such as ransomware are highly trusted members and are vetted by other high-level forum members. Members with paid accounts are generally distrusted by the community.

 

Kraken Cryptor’s developers asking to join the Fallout Exploit Kit.

Kraken Cryptor announcement.

The ransomware was announced, in Russian, with the following features:

  • Encoded in C# (.NET 3.5)
  • Small stub size ~85KB
  • Fully autonomous
  • Collects system information as an encrypted message for reference
  • File size limit for encryption
  • Encryption speed faster than ever
  • Uses a hybrid combination of encryption algorithms (AES, RC4, Salsa20) for secure and fast encryption with a unique key for each file
  • Enables the use of a network resource and adds an expansion bypass mode for encrypting all files on non-OS disks
  • Is impossible to recover data using a recovery center or tools without payment
  • Added antidebug, antiforensic methods

Kraken works with an affiliate program, as do ransomware families such as GandCrab. This business scheme is often referred to a Ransomware-as-a-Service (RaaS).

Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable from antimalware products. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service. The service will decrypt the file and resend it to the affiliate member to forward the victim. After the victim pays the full ransom, the affiliate member sends a percentage of the received payment to the RaaS developers to get a decryptor key, which is forwarded to the victim. This system ensures the affiliate pays a percentage to the affiliate program and does not simply pocket the full amount. The cut for the developers offers them a relatively safe way of making a profit without exposing themselves to the risk of spreading ransomware.

We have observed that the profit percentage for the developers has decreased from 25% in Version 1 to 20% in Version 2. The developers might have done this to attract more affiliates. To enter the program, potential affiliates must complete a form and pay $50 to be accepted.

In the Kraken forum post it states that the ransomware cannot be used in the following countries:

  • Armenia
  • Azerbaijan
  • Belarus
  • Estonia
  • Georgia
  • Iran
  • Kazakhstan
  • Kyrgyzstan
  • Latvia
  • Lithuania
  • Moldova
  • Russia
  • Tajikistan
  • Turkmenistan
  • Ukraine
  • Uzbekistan

On October 21, Kraken’s authors released Version 2 of the affiliate program, reflecting the ransomware’s popularity and a fresh release. At the same time, the authors published a map showing the distribution of their victims:

Note that some of the countries on the developers’ exclusion list have infections.

Video promotions

The first public release of Kraken Cryptor was Version 1.2; the latest is Version 2.07. To promote the ransomware, the authors created a video showing its capabilities to potential customers. We analyzed the metadata of the video and believe the authors created it along with the first version, released in August.

In the video, the authors show how fast Kraken can encrypt data on the system:

Kraken ransomware in action.

Actor indications

The Advanced Threat Research team and Recorded Future’s Insikt group analyzed all the forum messages posted by ThisWasKraken. Based on the Russian language used in the posts, we believe ThisWasKraken is neither a native Russian nor English speaker. To make forum posts in Russian, the actor likely uses an automated translation service, suggested by the awkward phrasing indicative of such a service. In contrast, the actor is noticeably more proficient in English, though they make mistakes consistently in both sentence structure and spelling. English spelling errors are also noticeable in the ransom note.

ThisWasKraken is likely part of a team that is not directly involved in the development of the ransomware. The actor’s role is customer facing, through the Jabber account [email protected][.]im. Communications with ThisWasKraken show that the actor refers all technical issues to the product support team at [email protected][.]com.

Payments

Bitcoin is the only currency the affiliate program uses. Insikt Group identified several wallets associated with the operation. Kraken’s developers appear to have choose BitcoinPenguin, an online gambling site as the primary money laundering conduit. It is very uncommon for criminal actors, and specifically ransomware operators, to bypass traditional cryptocurrency exchangers when laundering stolen funds. One of the decisive factors for the unusual choice was likely BitcoinPenguin’s lack of requiring identity verification by its members, allowing anyone to maintain an anonymous cryptocurrency wallet.

Although in response to regulatory demands cryptocurrency exchangers continue to stiffen their registration rules, online crypto casinos do not have to follow the same know-your-customer guidelines, providing a convenient loophole for all kinds of money launderers.

Bitcoin transactions associated with Kraken analyzed with the Crystal blockchain tool. The parent Bitcoin wallet is 3MsZjBte81dvSukeNHjmEGxKSv6YWZpphH.

Kraken Cryptor at work

The ransomware encrypts data on the disk very quickly and uses external tools, such as SDelete from the Sysinternals suite, to wipe files and make file recovery harder.

The Kraken Cryptor infection scheme.

The ransomware has implemented a user account control (UAC) bypass using the Windows Event Viewer. This bypass technique is used by other malware families and is quite effective for executing malware.

The technique is well explained in an article by blogger enigma0x3.

We analyzed an early subset of Kraken ransomware samples and determined they were still in the testing phase, adding and removing options. The ransomware has implemented a “protection” to delete itself during the infection phase:

“C:\Windows\System32\cmd.exe” /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S “C:\Users\Administrator\AppData\Local\Temp\krakentemp0000.exe”

This step is to prevent researchers and endpoint protections from catching the file on an infected machine.

Kraken encrypts user files with a random name and drops the ransom note demanding the victim to pay to recover them. McAfee recommends not paying ransoms because doing so contributes to the development of more ransomware families.

Kraken’s ransom note.

Each file extension is different; this technique is often used by specific ransomware families to bypass endpoint protection systems.

Kraken delivered by the exploit kit bypasses the UAC using Event Viewer, drops a file on the system, and executes it through the UAC bypass method.

The binary delivered by the exploit kit.

The authors of the binary forgot during the compilation of the first versions to delete the PDB reference, revealing that the file has a relationship with Kraken Cryptor:

The early versions contained the following path:

C:\Users\Krypton\source\repos\UAC\UAC\obj\\Release\UAC.pdb.

Later versions dropped the PDB path together with the Kraken loader.

Using SysInternals tools

One unique feature of this ransomware family is the use of SDelete. Kraken uses a .bat file to perform certain operations, making file recovery much more challenging:

Kraken downloads SDelete from the Sysinternals website, adds the registry key accepting the EULA to avoid the pop-up, and executes it with the following arguments:

sdelete.exe -c -z C

The SDelete batch file makes file recovery much harder by overwriting all free space on the drive with zeros, deleting the Volume Shadow Copies, disabling the recovery reboot option and finally rebooting the system after 300 seconds.

Netguid comparison

The earlier versions of Kraken were delivered by a loader before it moved to a direct execution method. The loader we examined contained a specific netguid. With this, we found additional samples of the Kraken loader on VirusTotal:

Not only the loader had a specific netguid but the compiled versions of Kraken also shared a netguid, making it possible to continue hunting samples:

Comparing versions

Kraken uses a configuration file in every version to set the variables for the ransomware. This file is easily extracted for additional analysis.

Based on the config file we have discovered nine versions of Kraken:

  • 2
  • 3
  • 5
  • 5.2
  • 5.3
  • 6
  • 0
  • 0.4
  • 0.7

By extracting the config files from all the versions, we built the following overview of features. (The √ means the feature is present.)

All the versions we examined mostly contain the same options, changing only in some of them the antivirtual protection and antiforensic capabilities. The latest version, Kraken 2.0.7, changed its configuration scheme. We will cover that later in this article.

Other differences in Kraken’s config file include the list of countries excluded from encryption. The standouts are Brazil and Syria, which were not named in the original forum advertisement.

Having an exclusion list is a common method of cybercriminals to avoid prosecution. Brazil’s addition to the list in Version 1.5 suggests the involvement of a Brazilian affiliate. The following table shows the exclusion list by country and version. (The √ means the country appears on the list.)

All the Kraken releases have excluded the same countries, except for Brazil, Iran, and Syria.

Regarding Syria: We believe that the Kraken actors have had the same change of heart as the actors behind GandCrab, who recently released decryption keys for Syrian victims after a tweet claimed they had no money to pay the ransoms.

 

GandCrab’s change of heart regarding Syrian victims.

Version 2.0.7

The most recent version we examined comes with a different configuration scheme:

This release has more options. We expect this malware will be more configurable than other active versions.

APIs and statistics

One of the new features is a public API to track the number of victims:

Public API to track the number of victims. Source: Bleeping Computer.

Another API is a hidden service to track certain statistics:

 

The Onion URL can be found easily in the binary:

The endpoint and browser Kraken uses is hardcoded in the config file:

Kraken gathers the following information from every infection:

  • Status
  • Operating system
  • Username
  • Hardware ID
  • IP address
  • Country
  • City
  • Language
  • HDCount
  • HDType
  • HDName
  • HDFull
  • HDFree
  • Privilege
  • Operate
  • Beta

Kraken infrastructure

In Versions 1.2 through 2.04 Kraken contacts blasze[.]tk to download additional files. The site has Cloudflare protection to mitigate against DDoS attacks:

The domain is not accessible from many countries:

 

McAfee coverage

McAfee detects this threat with the following signatures:

  • Artemis!09D3BD874D9A
  • Artemis!475A697872CA
  • Artemis!71F510C40FE5
  • Artemis!99829D5483EF
  • Artemis!CE7606CFDFC0
  • Artemis!F1EE32E471A4
  • RDN/Generic.dx
  • RDN/Generic.tfr
  • RDN/Ransom

Indicators of compromise

Kraken loader hashes

  • 564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
  • 53a28d3d29e655deca6702c98e71a9bd52a5a6de05524234ab362d27bd71a543

Kraken ransomware samples hashes

  • 047de76c965b9cf4a8671185d889438e4b6150326802e87470d20a3390aad304
  • 0b6cd05bee398bac0000e9d7032713ae2de6b85fe1455d6847578e9c5462391f
  • 159b392ec2c052a26d6718848338011a3733c870f4bf324863901ec9fbbbd635
  • 180406f298e45f66e205bdfb2fa3d8f6ead046feb57714698bdc665548bebc95
  • 1d7251ca0b60231a7dbdbb52c28709a6533dcfc4a339f4512955897c7bb1b009
  • 2467d42a4bdf74147ea14d99ef51774fec993eaef3c11694125a3ced09e85256
  • 2b2607c435b76bca395e4ef4e2a1cae13fe0f56cabfc54ee3327a402c4ee6d6f
  • 2f5dec0a8e1da5f23b818d48efb0b9b7065023d67c617a78cd8b14808a79c0dc
  • 469f89209d7d8cc0188654e3734fba13766b6d9723028b4d9a8523100642a28a
  • 4f13652f5ec4455614f222d0c67a05bb01b814d134a42584c3f4aa77adbe03d0
  • 564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
  • 61396539d9392ae08b2c9836dd19a58efb541cf0381ea6fef28637aae63084ed
  • 67db0f639d5f4c021efa9c2b1db3b3bc85b2db920859dbded5fed661cc81282d
  • 713afc925973a421ff9328ff02c80d38575fbadaf27a1db0063b3a83813e8484
  • 7260452e6bd05725074ba92b9dc8734aec12bbf4bbaacd43eea9c8bbe591be27
  • 7747587608db6c10464777bd26e1abf02b858ef0643ad9db8134e0f727c0cd66
  • 7e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
  • 7fb597d2c8ed8726b9a982b2a84d1c9cc2af65345588d42dd50c8cebeee03dff
  • 85c75ac7af9cac6e2d6253d7df7a0c0eec6bdd71120218caeaf684da65b786be
  • 8a0320f3fee187040b1922c6e8bdf5d6bacf94e01b90d65e0c93f01e2abd1e0e
  • 97ed99508e2fae0866ad0d5c86932b4df2486da59fc2568fb9a7a4ac0ecf414d
  • 9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14
  • a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215
  • b639e26a0f0354515870ee167ae46fdd9698c2f0d405ad8838e2e024eb282e39
  • cae152c9d91c26c1b052c82642670dfb343ce00004fe0ca5d9ebb4560c64703b
  • d316611df4b9b68d71a04ca517dbd94615a77a87f7a8c270d100ef9729a4e122
  • e39d5f664217bda0d95d126cff58ba707d623a58a750b53c580d447581f15af6
  • f7179fcff00c0ec909b615c34e5a5c145fedf8d9a09ed04376988699be9cc6d5
  • f95e74edc7ca3f09b582a7734ad7a547faeb0ccc9a3370ec58b9a27a1a6fd4a7
  • fea3023f06d0903a05096f1c9fc7113bea50b9923a3c024a14120337531180cd
  • ff556442e2cc274a4a84ab968006350baf9897fffd680312c02825cc53b9f455

Authentihash

  • 83b7ed1a0468394fc9661d07b9ad1b787f5e5a85512ae613f2a04a7442f21587
  • b821eb60f212f58b4525807235f711f11e2ef285630604534c103df74e3da81a
  • 0c4e0359c47a38e55d427894cc0657f2f73136cde9763bbafae37c916cebdd2a

Imphash

  • f34d5f2d4577ed6d9ceec516c1f5a744

Jabber

Email addresses found in the binaries and configuration files

Bitcoin address

  • 3MsZjBte81dvSukeNHjmEGxKSv6YWZpphH

PDBs found in the loader samples

  • C:\Users\Krypton\source\repos\UAC\UAC\obj\\Release\UAC.pdb

Associated Filenames

  • C:\ProgramData\Safe.exe C:\ProgramData\EventLog.txt # How to Decrypt Files.html
  • exe
  • exe
  • bat
  • <random>.bat
  • exe
  • exe
  • <random>.exe
  • exe
  • exe
  • exe
  • exe
  • exe
  • exe
  • exe
  • exe
  • exe
  • _exe
  • exe

Ransomware demo version

  • https://www76.zippyshare.com/v/5fMpcbdo/file[.]html

Kraken Unique Key

MITRE ATT&CK™ techniques

  • Data compressed
  • Email collection
  • File and directory
  • File deletion
  • Hooking
  • Kernel modules and extensions
  • Modify registry
  • Process injection
  • Query registry
  • Remote system
  • Security software
  • Service execution
  • System information
  • System time

Yara rules

 

The post Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims appeared first on McAfee Blogs.

Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). McAfee gateway and endpoint products are able to protect …

The post Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation appeared first on McAfee Blogs.

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). McAfee gateway and endpoint products are able to protect customers from known variants of this threat.

The GandCrab authors have moved quickly to improve the code and have added comments to provoke the security community, law enforcement agencies, and the NoMoreRansom organization. Despite the agile approach of the developers, the coding is not professional and bugs usually remain in the malware (even in Version 5.0.2), but the speed of change is impressive and increases the difficulty of combating it.

The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.

Underground alliances

On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. The developers market the affiliate program like a “members-only club” and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme.

The prospect of making money not only attracts new affiliates, but also leads to the formation of new alliances between GandCrab and other criminal services that strengthen the malware’s supply and distribution networks. One of these alliances became obvious during Version 4, in which the ransomware started being distributed through the new Fallout exploit kit. This alliance was again emphasized in the GandCrab Version 5 announcement, as the GandCrab crew openly endorsed FalloutEK.

The GandCrab Version 5 announcement.

With Version 5, yet another alliance with a criminal service has been formed. The malware crypter service NTCrypt announced that it is partnering with the GandCrab crew. A crypter service provides malware obfuscation to evade antimalware security products.

The NTCrypt-GandCrab partnership announcement offering a special price for GandCrab users.

The partnership between GandCrab and NTCrypt was established in a novel way. At the end of September, the GandCrab crew started a “crypt competition” on a popular underground forum to find a new crypter service they could partner with. NTCrypt applied and eventually won the competition.

The “crypt competition” announcement.

This novel approach emphasizes once more the cult status GandCrab has in the underground community. For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors.

For the security community it is worrisome to see that GandCrab’s aggressive marketing strategy seems to be paying off. It is generating a strong influx of criminal interest and allows the GandCrab crew to form alliances with other essential services in the cybercriminal supply chain.

GandCrab overview

GandCrab Version 5 uses several mechanisms to infect systems. The following diagram shows an overview of GandCrab’s behavior.

GandCrab Version 5 Infection

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others such as FalloutEK
  • PowerShell scripts or within the memory of the PowerShell process (the later mainly in Version 5.0.2)
  • Botnets such as Phorpiex (an old botnet that spread not only this malware but many others)

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily Dash (or Bitcoin in some older versions), because it is complex to track and quick to receive the payment.

The malware is usually, but not always, packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 5.0

This version has two releases. The first works only on Windows 7 or later due to a big mistake in the compiling time. Version 5.0 carries two exploits that try to elevate privileges. It checks the version of the operating system and the TokenIntegrityLevel class of the process. If the SID Subauthority is SECURITY_MANDATORY_LOW_RID (0x1000), it tries to execute the exploits if it also passed one previous check of a mutex value.

One release is the exploit released in August on Twitter and GitHub by the hacker “SandboxEscaper.” The original can be found at this link. The Twitter handle for this hacker is https://twitter.com/sandboxescaper.

This exploit tries to use a problem with the Task System in Windows when the operating system improperly handles calls to an advanced local procedure call.

The GandCrab authors claim there is no CVE of this exploit, but that is incorrect. It falls under CVE-2018-8440. This exploit can affect versions Windows 7 through Windows 10 Server. More information about this exploit can be found at this link.

In the first release of Version 5.0, the malware authors wrote the code exploit using normal calls to the functions. Thus at compiling time the binary has the IAT filled with the DLL needed for some calls. This DLL does not exist in Windows Vista and XP, so the malware fails to run in these systems, showing an error.

Import of xpsprint.dll that will not run on Windows XP or Vista.

The exploit using direct calls.

This release published an HTML file after encrypting the user’s files, but this file was faulty because it did not always have the information needed to decrypt the user’s files.

The second release uses dynamic calls and obfuscates the strings of the exploit, as shown in the previous image. (Earlier they were in plain text.)

The exploit with dynamic calls and obfuscated strings.

The second exploit is covered under CVE-2018-8120, which in Windows 7, Windows Server 2008 R2 and Windows Server 2008 allows an elevation of privileges from the kernel. Thanks to a faulty object in the token of the System process, changing this token in the malware results in executing the malware with System privileges.

Executing the exploit CVE-2018-8120.

You can read more about this exploit on mcafee.com.

The malware checks the version of the operating system and type of user and whether it can get the token elevation information of its own process before employing the use of exploits. In some cases, it fails to infect. For example, in Windows XP the second release of Version 5 runs but does not encrypt the files. (We thank fellow researcher Yassine Lemmou, who shared this information with us.)

We and Lemmou know where the problem is in Version 5.0.2. A few changes to the registry could make the malware run correctly, but we do not want to help the malware authors fix their product. Even though GandCrab’s authors quickly repair mistakes as they are pointed out, they still fail to find some of the basic errors by themselves. (McAfee has had no contact with GandCrab’s developers.)

The second release writes a random extension of five letters instead of using the normal .CRAB or .KRAB extension seen in previous versions. The malware keeps this information as binary data in a new registry entry in the subkey “ext_data\data” and in the value entry of “ext.”

A new registry entry to hold the random extension.

The malware tries creating this new entry in the root key of HKEY_LOCAL_MACHINE. If it cannot—for example, because the user does not have admin rights—it places the entry in the root key HKEY_CURRENT_USER. This entry is deleted in some samples after the files have been encrypted.

Version 5.0.1

This version fixed some internal bugs in the malware but made no other notable changes.

Version 5.0.2

This version changes the random extension length from 5 to 10 characters and fixes some internal bugs. Other bugs remain, however, meaning files cannot always be encrypted.

The latest

This section is based on the latest version of the malware (Version 5.0.2 on October 4), though some elements appear in earlier releases of Version 5. Starting with this version, the malware uses two exploits to try to elevate privileges in the system.

The first exploit uses a dynamic call to the function IsWoW64Process to detect whether the operating system is running in 32 or 64 bits.

The dynamic call to IsWoW64Process with obfuscated strings.

Depending on the result, the malware has two embedded DLLs, encrypted with a simple operation XOR 0x18.

Decrypting the DLL to load with the exploit and fix the header.

The malware authors use a clever trick with fuzzing to avoid detection: The first two bytes of the DLL are trash, something that is later fixed, as we see in the preceding image.

After decryption and loading the exploit, this DLL creates a mutex in the system and some pipes to communicate with the main malware. The malware creates a pipe that the DLL reads later and prepares strings as the mutex string for the DLL.

Preparing the string for the DLL.

The DLL has dummy strings for these strings.

Creating the new mutex and relaunching the process.

This mutex is checked when the malware starts. The function returns a 1 or 0, depending on whether it can open the mutex. Later, this result is checked and if the mutex can be opened the malware will avoid checking the version and will not use the two new exploits to elevate privileges.

Opening the new mutex to check if there is a need to run the exploits.

As with GandCrab Version 4.x and later, the malware later checks the version. If it is Vista or later, it tries to get the “TokenIntegrityLevel” class and relaunch the binary to elevate its privilege with a call to “ShellExecuteExW” with the “runas” application. If the system is Windows XP, the code will avoid that and continue in its normal flow.

This mutex is never created for the main malware; it is created for the DLL loaded using the exploit. To better understand this explanation, this IDA snippet may help:

Explaining the check of mutex and exploits.

This version changes the desktop wallpaper, which is created at runtime and is filled with the extension generated to encrypt the files. (The ransom note text or HTML has the name: <extension_in_uppercase>_DECRYPT. <txt|html>) and the user name of the machine.)

Creating the new wallpaper at runtime.

The username is checked with “SYSTEM.” If the user is “SYSTEM,” the malware puts the name “USER” in the wallpaper.

Checking the name of the user for the wallpaper.

The wallpaper is created in the %TEMP% folder with the name pidor.bmp.

Creating the wallpaper in the temp folder.

Here is an example of strings used in the wallpaper name and to check the name of the user and the format string, whether it is another user, or the final string in the case of SYSTEM user with USER in uppercase.

The name of the wallpaper and special strings.

Finally, the wallpaper is set for any user other than SYSTEM:

Changing the wallpaper.

The malware detects the language of the system and decrypts the strings and writes the correct ransom note in the language of the system.

Coverage

Customers of McAfee gateway and endpoint products are protected against the latest GandCrab versions. Detection names include Ran-Gandcrabv4! and many others.

An independent researcher, Twitter user Valthek, has also created several vaccines. (McAfee has verified that these vaccines are effective.) The version for GandCrab 4.x through 5.0.2 can prevent the files from being encrypted.

For Version 4.x, the deletion of shadow volumes cannot be avoided but at least the files themselves are kept safe.

For Version 5.x, encrypting the files can be avoided but not the creation and changing of the wallpaper, which the malware will still corrupt. The malware cannot create random extensions to encrypt the files but will prepare the string. Running the vaccine a second time removes the wallpaper if it is in the %TEMP% folder.

The vaccine has versions with and without persistence. The version with persistence creates a random filename in a special folder and writes a special random entry in the registry to run each time with the system. In this case, the machine will always be protected against this malware (at least in its current state of October 10, and perhaps in the future).

 

Indicators of compromise

These samples use the following MITRE ATT&CK™ techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs to create or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Discovery of network shares to encrypt them
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges
  • Change wallpaper
  • Flood the network with connections
  • Create mutants

Hashes 

  • e168e9e0f4f631bafc47ddf23c9848d7: Version 5.0
  • 6884e3541834cc5310a3733f44b38910: Version 5.0 DLL
  • 2d351d67eab01124b7189c02cff7595f: Version 5.0.2
  • 41c673415dabbfa63905ff273bdc34e9: Version 5.0.2
  • 1e8226f7b587d6cd7017f789a96c4a65: DLL for 32-bit exploit
  • fb25dfd638b1b3ca042a9902902a5ff9: DLL for 64-bit exploit
  • df1a09dd1cc2f303a8b3d5097e53400b: botnet related to the malware (IP 92.63.197.48)

 

The post Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation appeared first on McAfee Blogs.

Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns

Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its …

The post Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns appeared first on McAfee Blogs.

Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its claims, does the “Obama campaign” deliver the ransomware it advertises? Well, perhaps not.

The Obama campaign

Recently identified by the MalwareHunterTeam and documented by Bleeping Computer, the Obama campaign displayed some confusing characteristics. For example, it encrypted only .exe files and asked for a tip to decrypt the files. This campaign does not behave like normal ransomware variants, which typically target user data files rather than .exe files.

This unorthodoxy got us thinking: Was there a nation-state behind this campaign? At present, there is not enough evidence to confirm its source, although the language resources are in simplified Chinese. We discovered the following graph inside the ransomware:

As the MalwareHunterTeam documented, the ransomware attempts to kill processes associated with certain antimalware products:

  • .rdata:004DAC80 0000001B C taskkill /f /im kavsvc.exe
  • .rdata:004DAC9B 00000019 C taskkill /f /im KVXP.kxp
  • .rdata:004DACB4 00000018 C taskkill /f /im Rav.exe
  • .rdata:004DACCC 0000001B C taskkill /f /im Ravmon.exe
  • .rdata:004DACE7 0000001D C taskkill /f /im Mcshield.exe
  • .rdata:004DAD04 0000001D C taskkill /f /im VsTskMgr.exe
  • .rdata:004DAD21 00000024 C SOFTWARE\\360Safe\\safemon\\ExecAccess
  • .rdata:004DAD45 00000023 C SOFTWARE\\360Safe\\safemon\\MonAccess
  • .rdata:004DAD68 00000024 C SOFTWARE\\360Safe\\safemon\\SiteAccess
  • .rdata:004DAD8C 00000025 C SOFTWARE\\360Safe\\safemon\\UDiskAccess

Note, however, that the access protection enabled within McAfee software prevented the termination of this process:

These curiosities made us wonder about the purpose of the ransomware. Was this indeed ransomware and, if so, why encrypt only .exe files? Our initial suspicions were immediately confirmed when we found a cryptocurrency coin mining component within the malware. In fact, the miner sample was almost identical to the ransomware component, with almost 80% code reuse. These similarities are highlighted below.

Executable extension search function:

Code flow in the “Obama campaign” ransomware.

Code flow in the coin miner sample.

We also found this URL pointing to an FTP server:

The Trump campaign

A ransomware campaign leveraging images of Donald Trump has been previously documented. Is it possible that the two politicians are aligned with the same cybercriminal group looking to exploit their profiles?

  

As previously reported, this variant was only a development version—encrypting files with AES and using the following .encrypted extension:

However, this ransomware can “decrypt” the files if one clicks on an “unlock files” button.

Code referencing decryption by button click:

And for unlocking files:

The Angela Merkel campaign 

 

The use of Angela Merkel and her profile is new to the discussion. “Her” campaign encrypts files using the .angelamerkel extension. The original name of this ransomware was ChromeUpadter.exe; it also uses AES to encrypt files. It employs the Euro in its ransom demands. Perhaps a European figure evokes the Euro?

This ransomware encrypts the following files:

Malware developers are fond of exploiting famous names to lure unsuspecting victims. Although it would be simple to claim an increase in politically motivated ransomware, or rather ransomware that leverages the profiles of political figures, there is no significant evidence to suggest they are from the same threat actor. Equally, these campaigns might not even be ransomware, certainly in the case of the Obama campaign.

Does this examination suggest three separate campaigns? There are some links and, no, they are not between Obama and Trump. The Trump and Merkel ransomware are 46% identical in code. We are left wondering whose campaign is the most successful. We shall see.

The post Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns appeared first on McAfee Blogs.

GandCrab Ransomware Puts the Pinch on Victims

The GandCrab ransomware first appeared in January and has updated itself rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.2 of the malware.
The fi…

The GandCrab ransomware first appeared in January and has updated itself rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.2 of the malware.

The first versions (1.0 and 1.1) of this malware had a bug that left the keys in memory because the author did not correctly use the flags in a crypto function. One antimalware company released a free decryption tool, posted on NoMoreRansom.org.

The hack was confirmed by the malware author in a Russian forum:

Figure 1. Confirmation by the author of the hack of GandCrab servers.

The text apologizes to partners for the hack and temporarily shuts down the program. It promises to release an improved version within a few days.

The second version of GandCrab quickly appeared and improved the malware server’s security against future counterattacks. The first versions of the ransomware had a list of file extensions to encrypt, but the second and later versions have replaced this list with an exclusion list. All files except those on the list were encrypted.

Old versions of the malware used RSA and AES to encrypt the files, and communicated with a control server to send the RSA keys locked with an RC4 algorithm.

The GandCrab author has moved quickly to improve the code and has added comments to mock the security community, law agencies, and the NoMoreRansom organization. The malware is not professionally developed and usually has bugs (even in Version 4.2), but the speed of changes is impressive and increases the difficulty of combating it.

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because it complex to track, or Bitcoin.

The malware is usually but not always packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 4.0

The most important change in Version 4.0 is in the algorithm used to encrypt files. Earlier versions used RSA and AES; the latest versions use Salsa20. The main reason is for speed. RSA is a powerful but slow algorithm. Salsa20 is quick and the implementation is small.

The ransomware checks the language of the system and will not drop the malicious payload if the infected machine operates in Russian or certain other former Soviet languages:

Figure 2. Checking the language of the infected system.

GandCrab encrypts any file that does not appear on the following file-extension exclusion list:

The ransomware does not encrypt files in these folders:

GandCrab leaves these files unencrypted:

The ransomware generates a pair of RSA keys before encrypting any file. The public key encrypts the Salsa20 key and random initialization vector (IV, or nonce)) generated later for each file.

The encryption procedure generates a random Salsa20 key and a random IV for each file, encrypts the file with them, and encrypts this key and IV with a pair of RSA keys (with the public RSA key created at the beginning). The private key remains encrypted in the registry using another Salsa20 key and IV encrypted with an RSA public key embedded in the malware.

After encryption, the file key and IV are appended to the contents of the file in a new field of 8 bytes, increasing the original file size.

This method makes GandCrab very strong ransomware because without the private key to the embedded public key, it is not possible to decrypt the files. Without the new RSA private key, we cannot decrypt the Salsa20 key and IV that are appended to the file.

Finally, the ransomware deletes all shadow volumes on the infected machine and deletes itself.

Version 4.1

This version retains the Salsa20 algorithm, fixes some bugs, and adds a new function. This function, in a random procedure from a big list of domains, creates a final path and sends the encrypted information gathered from the infected machine. We do not know why the malware does this; the random procedure usually creates paths to remote sites that do not exist.

For example, one sample of this version has the following hardcoded list of encrypted domains. (This is only a small part of this list.)

The ransomware selects one domain from the list and creates a random path with one of these words:

Later it randomly chooses another word to add to the URL it creates:

Afterward it makes a file name, randomly choosing three or four combinations from the following list:

Finally the malware concatenates the filename with a randomly chosen extension:

At this point, the malware sends the encrypted information using POST to the newly generated URL for all domains in the embedded list, repeating the process of generating a path and name for each domain.

Another important change in this version is the attempt to obfuscate the calls to functions such as VirtualAlloc and VirtualFree.

Figure 3. New functions to obfuscate the code.

Version 4.1.2

This version has appeared with some variants. Two security companies revealed a vaccine to prevent infections by previous versions. The vaccine involved making a special file in a folder with a special name before the ransomware infects the system. If this file exists, the ransomware finishes without dropping the payload.

The file gets its name from the serial number of the Windows logic unit hard disk value. The malware makes a simple calculation with this name and creates it in the %appdata% or %program files% folder (based in the OS) with the extension .lock.

Figure 4. Creating the special file.

The GandCrab author reacted quickly, changing the operation to make this value unique and use the Salsa20 algorithm with an embedded key and IV with text referring to these companies. The text and the value calculated were used to make the filename; the extension remained .lock.

One of the security companies responded by making a free tool to make this file available for all users, but within hours the author released another Version 4.1.2 with the text changed. The malware no longer creates any file, instead making a mutex object with this special name. The mutex remains and keeps the .lock extension in the name.


Figure 5. Creating a special mutex instead of a special lock file.

The vaccine does not work with the second Version 4.1.2 and Version 4.2, but it does work with previous versions.

Version 4.2

This version has code to detect virtual machines and stop running the ransomware within them.

It checks the number of remote units, the size of the ransomware running compared with certain sizes, installs a VectoredExceptionHandler, and checks for VMware virtual machines using the old trick of the virtual port in a little encrypted shellcode:

Figure 6. Detecting VMware.

The malware calculates the free space of the main Windows installation logic unit and finally calculates a value.

If this value is correct for the ransomware, it runs normally. If the value is less than 0x1E, it waits one hour to start the normal process. (It blocks automatic systems that do not have “sleep” prepared.) If the value is greater than 0x1E, the ransomware finishes its execution.

Figure 7. Checking for virtual machines and choosing a path.

Conclusion

GandCrab is the leading ransomware threat for any person or enterprise. The author uses many ways to install it—including exploits kits, phishing mails, Trojans, and fake programs. The developer actively updates and improves the code to make analysis more difficult and to detect virtual machines. The code not is professionally written and continues to suffer from bugs, yet the product is well promoted in underground forums and has increased in value.

McAfee detects this threat as Ran-GandCrab4 in Versions 4.0 and later. Previous ones are also detected.

Indicators of compromise

MITRE ATT&CK

This sample uses the following MITRE ATT&CK techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs make or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges

Hashes

  • 9a80f1866450f2f10fa69b1eb8747c344d6ef038468014c59cc50497f9e4675d – version 4.0
  • d9466be5c387eb2fbf619a8cd0922b167ea7fa06b63f13cd330ca974cae1d513 – version 4.0
  • 43b57d2b16c44041916f3b0562712d5dca4f8a42bc00f00a023b4a0788d18276 – version 4.0
  • 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d – version 4.0
  • f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2 – version 4.1
  • 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 – version 4.1
  • e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a – version 4.1
  • 0aef79fac6331f9eca49e711291ac116e7f6fbaeb5a1f3eb7fea9e2e4ec6a608 – version 4.1
  • 3277c1649972ab5b43ae9e87087b70ea4825956bfdddd1034f7b0680e6d46efa – version 4.1
  • a92af825bd95b6514f22dea08a4eb6d3491cbad45e69a5b9653b0148ee9f9832 – version 4.1
  • ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668 – version 4.1.2 (first)
  • a1aae5ae7a3722b83dc1c9b0831c973641b246808de4f3670f2fd916cf498d38 – version 4.1.2 (second)
  • 3b0096d6798b1887cffa1288583e93f70e656270119087ceb2f832b69b89260a – version 4.2
  • e8e948e36fed93061062406693d1b2c402dd8e5788506bfbb50dbd86a5540829 – version 4.2

Domain

http://gandcrabmfe6mnef.onion

The post GandCrab Ransomware Puts the Pinch on Victims appeared first on McAfee Blogs.