Zero trust security

Make it possible

Your Mission

A look at two ransomware strains using open source code

Analysis of two .NET based ransomware strains using open source code repository

By: Avinash Kumar, Amandeep Kumar, Rajdeepsinh Dodia

Ransomware

A look at two ransomware strains using open source code

Introduction

Ransomware has undoubtedly become one of the most prevelant and most prolific malware families, earning large profits for cybercriminals. There have been several dozen new ransomware strains and attacks seen in 2017, including the infamous global ransomware outbreaks of WannaCry, Petya, and BadRabbit that impacted millons of computers world-wide. In this blog, we explore two ransomware strains from 2017 - Vortex and BUGWARE, both of which are compiled in Microsoft Intermediate Language (MSIL) and packed with the 'Confuser' packer. Interestingly, both ransomware strains are using open source code for encrypting user files.

ThreatlabZ, the research division of Zscaler, has been tracking these strains and is seeing payloads actively being pushed to the users via spam campaigns containing malicious URLs. 

Case #1 - Vortex Ransomware

Vortex, written in Polish, employs the AES-256[2] cipher to encrypt victims' image, video, audio, document, and other potentially important data files. The ransom note informs victims about the restoration of files and details how to send the ransom. The ransom note has the title “##@@ INFO O PLIKACH.txt.”

 

Figure1: Ransom Note

                                                                                Figure 1: Ransom note

In this example, two files are getting decrypted for free and the ransom demand is $100, which will increase to $200 in four days. This variant offers two email IDs for contacting the attacker: Hc9@2.pl and Hc9@goat.si.

Installation

The malware creates a registry entry for persistence.

                                                            Figure 2: Registry Entry

 

It also creates a registry key called “AESxWin.”                                                               Figure 3: Registry Key

     

       

Upon execution, the malware will attempt to encrypt the files with following extension on the victim machine:

                                                                Figure 4: Filetypes encrypted by Vortex

 

The following is a list of other file types that will get encrypted by the Vortex ransomware.

                                                            Figure5: Other Filetypes that will be encrypted by Vortex

 

Vortex also deletes all the shadow copy of restore point by running the following command:

vssadmin.exe delete shadows /all /Quiet

This ensures that the victim cannot recover their files by restoring the system to a preinfection state.

Command and Control (C&C) communication:

The following screenshot shows the ransomware requesting the password API, which is random and changes with every request:

                                                            Figure 6:Password API request

 

This screen shows the malware contacting the C&C server and sending system information.                                                            Figure7: Sending system info to C&C

  

 

The following is a screenshot of the password API used for the encryption and decryption key.

                                           Figure8: Get request with IP, System ID, Data and Password API

 

While analyzing the malware, we saw that its code was entirely based on AESxWin, which is a freeware encryption and decryption utility hosted on GitHub, and was created by Egyptian developer Eslam Hamouda.

                                           Figure9: Developer signature in stolen code

 

We further validated the unaltered usage of this tool in Vortex ransomware by successfuly decrypting the files on the infected system using the AESxWin utility with the same password that was used for encryption.

                                                  Figure10: Decryptor

 

Case #2 - BUGWARE Ransomware

A new ransomware strain called BUGWARE [first seen Oct 2017] uses the open source Hidden Tear code. It encrypts the files and, for ransom, requests the equivalent of a thousand Brazilian real in a virtual currency called MONERO. The main BUGWARE payload uses an invalid certificate pretending to be for GAS INFORMATICA LTDA.

                                                       Figure11: Invalid Certificate

Payload analysis
First, it searches for the file “%AppData%\Lista.log.” If this file is found, the malware will terminate itself.

BUGWARE stores a list of whitelisted path in Criptografia.whitelist variable and will not attempt to encrypt the files present in those folders.

  • %ProgramFiles%
  • %ProgramFilesX86%
  • %Windows%
  • %AppData%\Roaming
  • %AppData%\Local

It also avoids ecnrypting files in directories that contain the following strings:

  • $recycle.bin
  • Intel
  • Nvidia

The payload creates a list of paths to encrypt and store in the Criptografia.pathstoencrypt list.

  • %Desktop%
  • %Documents%
  • %Music%
  • %Pictures%
  • %Videos%

It searches for fixed, network, and removable drives, and adds those paths into the Criptografia.pathstoencrypt list.

Encryption Process
BUGWARE generates a random GUID using the passworrandom.com website and adds “-DCLXVI” at the end of the string and stores in the AES.senha variable. If the payload is unable to get the GUID from that website, it generates AES.senha using following combination - “DCLXVI-{generate GUID using Guid.NewGUID() function}.”

                                                   Figure12: Generating Key

 

It generates a key by calculating SHA-256 of AES.sneha. User files are then encrypted using the AES 256-bit algorithm leveraging the key stored in AES.sneha.

After encryption, the malware renames files with “filename.[SLAVIC@SECMAIL.PRO].BUGWARE” and makes each file's entry in Lista.log file. It changes the CreationTime, LastAccessTime, and LastWriteTime with a random datetime format.

                                                      Figure13: Modifying Filename and File Properties

 

The following screenshot displays the targeted file extensions encrypted by BUGWARE.                                                      Figure14: Targeted File extension

 

BUGWARE will download image files from “i[.]imgur.com/NpKQ3KZ.jpg" and set this image as the victim’s desktop background after restarting the system.

                                                    Figure15: Bugware Wallpaper

 

After encrypting files, BUGWARE shows its warning messages. This example ransom note here is shown in Portuguese.

                                                          Figure16: Ransom Note

 

The malware further encrypts the AES key using RSA Public key. It saves the base64 encoded key in the registry path "HKCU\SOFTWARE\BUGWARE\chavepriv8\"

The RSA public key is stored as XML format in the minhachave variable as shown below.
 

                                                        Figure17: Base64 Encoded RSA Public key

 

For persistence, the malware creates a run key to execute each time the user logs on. It executes the BUGWARE with “OK” arguments that display the ransom note.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUGWARE\

The malware checks for the presence of a removable drive and if found, it drops a copy of itself with the name “fatura-vencida.pdf.scr.”  
 

C&C communication:

BUGWARE sends the base64 encoded data to its C&C at getrichordietryin[.]xyz.                                                         Figure18: C&C Commnication

 

Decoded data

Maquina: Machine name
Dominio: Network domain name associated with the current user
ID:Volume serial number 
Prazo: Date and time of dealine (Add 3 days to current date)
Arquivos: Number of encrypted files
SO: Operating system

It also stores the information in the registry key HKCU\SOFTWARE\BUGWARE\.


                                                         Figure19: Data stored in Registry Keys

 

Indicators of Compromise

MD5: 

FDF777C8C92355AD95C5AB7E4AA0A32A [Vortex]

35A3864D4BE9E7A7303C370879B8B8D1 [Vortex]

6A9F56A2F298E5ACB6B2E84BB2864E08 [BUGWARE]

NETWORK:

departamento-vendas[.]xyz/doc_2017100200000-16_pdf.scr 

getrichordietryin[.]xyz/sender.php

FILESYSTEM:
%AppData%\Lista.log
%Desktop%\bugware.bmp

REGISTRY:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUGWARE\
HKCU\SOFTWARE\BUGWARE\Arquivos
HKCU\SOFTWARE\BUGWARE\Chavepriv8
HKCU\SOFTWARE\BUGWARE\Enviado
HKCU\SOFTWARE\BUGWARE\ID
HKCU\SOFTWARE\BUGWARE\prazo




Suggested Blogs