A new ransom-miner malware campaign emerging in wild!

Credit to Author: Preksha Saxena| Date: Tue, 10 Jul 2018 12:16:26 +0000

Estimated reading time: 6 minutesSince the past few weeks, Quick Heal Security Labs has been observing a series of interesting malware blocked at our customer end. The further analysis of the malware ‘t.exe’ revealed that the malware seems to be Trojan dropper. Interestingly, this multipurpose malware is downloading a ransomware component, a crypto-mining malware and many more. It also tries to perform various malicious activities by connecting to one or more CNC servers. This seems to be an ongoing in wild campaign targeting end users with Gandcrab ransomware and Monero Cryptominer malware. We are not aware of the initial attack vector of the file ‘t.exe’ but we strongly suspect phishing mails being used to spread this malware. A majority of phishing emails contains links to malicious URLs or contains malicious attachments that in turn downloads malware on the end user systems. Let’s have a look at the below attack chain which depicts the execution sequence observed for this ransom-miner campaign. Fig 1: Infection Chain of Ransom-Miner malware campaign Even though we did not get hold of the initial attack vector, we were able to trace the attack chain from the malicious URL used here. URL: 92.63.197.112/t[.]exe The ‘t.exe’ file is PE32 executable for MS Windows and compiled in Microsoft Visual C++. It seems to be a custom packed file. It contains an interesting resource section of a large size. It seems to be encrypted and contains data of high entropy. Resource name is ransom which is unusual. Fig 2. Resource section shown in CFF explorer After doing the analysis, we found that the malware reads one of the resources and then decrypts it with XOR operation. Key which is present in AL register is calculated in function ‘call_407B5C’ present just before the XOR operation. Initial value of key is read from the file and then various operations are performed to get a final value in AL register. Fig 3. Decryption Routine The malware decrypts some code and one compressed PE file as shown in Fig 4. After decryption, the control goes to the decrypted code which decompressed PE file in memory and after that malware overwrites the parent process memory with the decompressed file and finally executes it. This decompressed file is the main malware file which performs further activity. Fig 4. Decrypted code and Compressed PE file The malware file contains hardcoded process names. It calls ‘process32First’ and ‘process32next’ to enumerate various processes and compares 16 process names for identifying the presence of VMware and Virtual box and its related components. It also checks for the sandbox by checking the presence of library name “sbiedll.dll”. These are the typical anti-VM and anti-sandbox techniques implemented in this malware. Fig 5. Various process names After identifying the existence of a virtual environment, the malware stop its malicious behavior and calls the ‘ExitProcess’ function and stops current running process. Fig 6. Call ExitProcess if Virtual environment found It creates mutex by the name “.__-TLDR-__.”  so that only one of its copies runs at any one time. It also creates its copy in %appdata% by random number name and in Windows folder by the following name <C:WINDOWST-5682806352635035603winsvc.exe> and deletes the original copy. It also sets file attributes to 7 which indicates file as hidden, read-only and file has system attributes. The Trojan also creates an entry of its file in the following registry so that it runs every time Windows starts: “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” Entry present after malware infection looks like: Fig 7. Registry entries created by malware It also creates the following registry entries to disable Windows Firewall. Fig 8. Firewall registry entry The Trojan remains persistent in the memory & tries to send a request to many CNC servers. It has many random domain names as shown in Fig 9. By connecting to these CNC domains, it tries to download further malicious components. Fig 9. CNC URLs present in the decrypted file It connects to available CNC servers over HTTP protocol to download multiple files. It downloads JavaScript, PE files, some text file. Fig 10. HTTP requests & response from the infection traffic While analyzing the downloaded files, we have observed that one of the file it downloaded is JavaScript file ‘go.js’. Which is obfuscated and content is…
http://blogs.quickheal.com/feed/