Threat Research

Analyzing the New non-Beta Version of the Kraken Cryptor Ransomware

By Yueh-Ting Chen | November 12, 2018

FortiGuard Labs Breaking Threat Research Report

FortiGuard Labs recently detected new versions of Kraken Cryptor Ransomware. While the beta tag has been removed from its configuration, there are still numerous bugs in this ransomware, and the author is still continuously modifying its basic functions.

This ransomware variant is relatively new, only starting to spread this past August. It is obvious that this ransomware is still under construction and that the author is continuing to add new methods to improve its functionalities. However, when we analyzed recent samples, we found the these new versions of the malware are still too unstable to execute themselves. They are still filled with coding bugs, and even have message box for debugging. After encountering multiple unusable versions, we were finally able to obtain a functioning sample.

In this article, we will analyze the new “working” version of the Kraken Cryptor Ransomware, which is still under-construction and trying to be more stable. For details on the basic behavior of this ransomware, you can check here to look at some information posted by McAfee last month for reference.

Version 2.1 Found with Multiple Bugs

We found the version 2.1 in early November, and soon we realized this is a bugged version that always finished its execution without infecting our test system. The reason is not due to a new anti-analysis functionality in the sample, but simply because it checks for a nonexistent tag in its configuration.

Figure 1: Bugged reading configuration value in Kraken Cryptor Ransomware V2.1

This causes the function to always return false, forcing it to finish its execution with a suicide function call to remove itself.

After finding this bugged sample, we detected another sample labeled as version 2.1 just a few hours later with the bug we just mentioned removed. However, this version included another bug where the offline installation functionality is disabled because of a logical exception handling bug in the function of obtaining geolocation. This function connects to ipinfo[.]io/json to obtain the  geolocation of the system. If it fails to get a connection, it catches an exception and will not assign any value for the geolocation variable, resulting in reading configuration to fail. As a result, this version is only runnable in an online environment.

Another interesting point is that it also includes a debugged exception message.

Figure 2: Debugging message box displaying in Kraken Cryptor Ransomware

Interestingly, we found those MessageBox calls in the previous v2.07. However, we found more MessageBox calls in v2.1. Over the next few days, the author modified the Kraken Cryptor Ransomware source code multiple times and spread without removing its debugged message or even the nonexecutive bugs.

We also found that there are different support emails in its configurations within the same version, leading us to believe that it may be possible that those two samples were compiled by different authors. We only found support email “middleeast[@]cock.li” in this sample, while the support emails in other samples we mention in this article are all “onionhelp[@]memeware[.]net”

Figure 3: Different support emails in different samples within the same version (2.1)

Version 2.2 with HelloWorld!

Another new version was released soon after we analyzed those bugged 2.1 versions. This updated version works fine, even though the offline installation functionality is still disabled. All of the other functionality is nearly identical except for one interesting function that can be found at the beginning of the main function.

Figure 4: Dynamic Compilation for HelloWorld!

A HelloWorld! Sample source code has now been dynamically compiled and executed. The author is playing with the source code for fun.

Changing Functionalities After Version 2.1

Configuration changing

This new version also has a new configuration tag “partner” over version 2.1, which replaces the old tag “operate”.

Figure 5: Configured partner and beta (removed in 2.1) using in api string.

We also found that the “beta” tag has been removed from the configuration part in version 2.1. In version 2.07, it was configured as 1 in its configuration, which meant that it was still in beta version. However, in version 2.1 it assigned the value 0 in its source for the API query string, which means this connection was not from the beta version.

Another change in it configuration is the “help_voice”. 

Figure 6: help_voice in configuration

Such configuration uses CScript to execute the created visual basic script file (.vbs), whose content is configured in the “API” tag. After this script file runs, it speaks the text configured within the configuration.

Figure 7: Execution of CScript for new created .vbs for help_voice

The final change is the tag, “skip_directories”. It tries to skip more directories to speed up its encryption phase.

In the following image we show the configuration changes between 2.07, 2.1, and 2.2.  The red square highlights the skipped directories in version 2.1.

Figure 8: Configuration changes among 2.07, 2.1, and 2.2

In version 2.2, we also detected that “price” and “price_unit” have now been configured as USD, rather than BTC, which was in the previous version.

No more anti-smb and anti-rdp

In the next image, we show the much different the inside of the “module” tag is from version 2.04. Configuration for “smb” and “rdp” in the anti-analyzing module is removed from version 2.07. Originally in version 2.04, “smb” and “rdp” tags were used to block smb and rdp connections in the infected environment. However, we cannot find those blocking functions in either version 2.1 and 2.2.

Figure 9: Configuration of module in version 2.04

Suspicious SelfKill Check

We also found another interesting check in both of these new versions. Kraken now checks for specific username, specific file, and even specific IP or country code. If it meets the checks It will stop infecting the system and remove itself.

Figure 10: Suspicious SelfKill check

For example, the IP “104.207.76[.]103” listed here is an IP address be located in Naples, Italy.

Figure 11: geolocation check with IPINFO api

Conclusion

Fortiguard Labs has discovered the lstest new version of Kraken Cryptor Ransomware, which has been under construction since August. In this new version, there are bugs that cause the malware not to run or disable some previous functions found in older versions. For example, the offline file encryption module is now disabled. We also found that while the configuration file was modified, the main functionalities were not being modified heavily. We even found that the author has removed the program’s “beta” tag, even though this ransomware is still a “beta” version as it contains numerous obvious bugs in its source code.

FortiGuard Labs will continue to monitor the malware family.

Solution

Fortinet users are protected from the malicious threats mentioned in this report with the following solutions:

·       Files are detected by FortiGuard Antivirus

·       Malicious and Phishing URLs are blocked by our FortiGuard Web Filtering Service

IOCs

Samples:

f1334e51705ba874bf61e50e57288228c2f1d8334c4c385f3b454cc6c07c982a - MSIL/Filecoder.PI!tr

d57d0689c2600b47faab6ac43e22daab1f76b4dfef35e7752a671b6bbe484b37 - MSIL/Filecoder.PI!tr

f7358b103185458619e7203c3de6ed503374914318fc2aee52ed1d704b0cb0a8 - MSIL/Filecoder.PI!tr

c915d380cc548876754f9c9f0c7ecb8ec6923f150cd77822ede330a2a9283d21 - MSIL/Filecoder.PI!tr

6fc366dbc035226190c72d93962d2ad3c1c1f9c93fa1f63a9b31eb969d3f57d7 - MSIL/Filecoder.PI!tr

30147aefa2a24c6c5efeef4b6f6980cfc04aa6cd7c85aff9a3cb8316a14bd2e7 - MSIL/Filecoder.PI!tr

0857d5f714e88a2347affff4a440d9c76e6ddd18265e1c9a7d1c9966b0bfe61a - MSIL/Filecoder.PI!tr

Information collecting URLs:

hxxps://2no[.]co/2FtQu5 - Malicious

-= FortiGuard Lion Team =-

 

Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.