Threat Research

GandCrab V4.0 Analysis: New Shell, Same Old Menace

By Joie Salvio | July 09, 2018

The new GandCrab v4.0 was seen just a few days ago targeting users looking for cracked applications, as first reported by BleepingComputer. Malicious pages are currently being injected into legitimate websites in order to lead unsuspecting users to the GandCrab malware.

It has been over two months since GandCrab has undergone a major update. While this latest version includes an overhaul in terms of the code structure, its major purposes are practically the same. While some of the older features have been removed, most of the standard ones are still in place. Noticeably, the wallpaper change that had been added in the previous major update of the ransomware is no longer implemented. The biggest change, however, is the switch from using RSA-2048 to the much faster Salsa20 stream cipher to encrypt data, which had also been used by the Petya ransomware in the past. Furthermore, it has done away with connecting to its C2 server before it can encrypt its victims’ file, which means it is now able to encrypt users that are not connected to the Internet.

Note: Thanks to David Maciejak, Director of FortiGuard Research Team, for investigating the compromised websites.

Note: Read previous research on this topic.

Compromised Websites Serve GandCrab V4.0

The malware was reportedly seen being distributed through compromised websites that were built using WordPress, which is not at all new, as WordPress is a favourite target of exploitation. In fact, for this latest release, we have found numerous infected websites injected with malicious pages (a few of which are shown in the figure below).

Figure 1 Pages injected into compromised websites

These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable. Interestingly, when these sites are visited again after a few minutes, no redirection occurs unless you change your IP address. 

Figure 2 Downloaded pages leading to GandCrab v4.0

Our analysis shows that the malware executable and download links are being updated regularly. Below are some of the links that we have been observed during our analysis. They follow the format http://<domain>/file_c.php<random_chars>=<HEX_digest_of_cracked_appname>

http[:]//gabysutton[.]com/file_c.php?vubljfwmqpkebpes=437261636b5f53617070686972655f506c7567696e735f666f725f41667465725f456666656374732e657865 (Crack_Sapphire_Plugins_for_After_Effects.exe)

http[:]//gagaryn[.]com/file_c.php?lkgpsudyvbjs=437261636b5f4d657267696e675f496d6167655f746f5f5044462e657865 (Crack_Merging_Image_to_PDF.exe)

http[:]//blog.ygtecnopc[.]com/file_c.php?rnopbuvnxdmk=437261636b5f4d657267696e675f496d6167655f746f5f5044462e657865 (Crack_Merging_Image_to_PDF.exe)

The Shout Outs and the Russian Evasion

As expected, GandCrab’s execution is straight forward. No anti-analysis or heavy obfuscations.

The classic message strings to malware researchers are still mixed in the code, hinting that this new version is by the same developers. Daniel J. Bernstein, who developed the Salsa20 cipher and Zerophagel337, a malware researcher, are new additions to its growing list of shout outs. New and old debug strings are also hard to miss.

Figure 3 Shout out strings from unpacked binary

As in the previous versions, if there’s a hint that the target system is from a country where the Russian language is commonly spoken, it does not proceed with the infection. In addition to the Russian keyboard layout check, this latest version has added a user interface language check against the following Russian-speaking countries:

·       Russian (0x419)

·       Ukrainian (0x422)

·       Belarusian (0x423)

·       Tajik (0x428)

·       Armenian (0x42B)

·       Azerbaijani (0x42C/0x82C)

·       Georgian (0x437)

·       Kazakh (0x43F)

·       Kyrgyz (0x440)

·       Turkmen (0x442)

·       Uzbek (0x843)

·       Tatar (0x444)

·       Romanian (0x818)

·       Moldova(0x819)

The existence of the file <8hex-chars>.lock (e.g. 2078FBF8.lock) in the user’s Common AppData directory (e.g. C:\ProgramData) also causes the malware to terminate without infecting the system. The 8hex-chars part of the filename is generated from the root drive’s volume serial number value after being shifted right.

Figure 4 Snippet checking if <8-hex>.lock exists

Salsa20 and Network Share Encryption

Encrypted files are now appended with the “.KRAB” extension. The ransom note that is being dropped to every directory has also been changed to “KRAB-DECRYPT.txt”

Figure 5 Encrypted files appended with .KRAB extension

All drives including mapped drives in the system are encrypted by the malware. This time, to expand its reach, it also encrypts network shares remembered by the victim machine.

Figure 6 Routine for encrypting network shares

As mentioned, this new version now uses the Salsa20 stream cipher to encrypt files instead of RSA-2048 encryption, which is now used for a slightly different task, as described below. It is also important to note that in previous versions the malware needed to connect to its C2 before file encryption could occur. This new version does not. This means it can encrypt files even if the device is not connected to the Internet.

The encryption of the RSA-2048 private key and Salsa parameters is performed as follows:

·       Generates RSA-2048 private and public keys

·       A 32-byte and an 8-byte values are randomly generated as Salsa20’s key and nonce, respectively

·       Encrypts the generated RSA-2048 private key using Salsa20

·       The Salsa20 key and nonce are also encrypted with the previously generated RSA-2048 public key

The encrypted keys are stored as a binary block that is written to the registry location HKCU\Software\keys_data\data\private.

The raw RSA public key is stored under HKCU\Software\keys_data\data\public.

Figure 7 Encrypted Keys added to registry

A similar routine is performed during its file encryption routine. A pair of random 32-byte and 8-byte values is generated to be used by Salsa20 as key and nonce parameters, respectively. This is done for each file to be encrypted. And as expected, these keys are immediately encrypted by the RSA-2048 public key, which is appended at the end of the encrypted file contents, together with its original file size.

Figure 8 Structure of a file encrypted by GandCrab V4.0

Ransom Note and Payment Page

In conjunction with the new encryption procedure, the ransom note has also undergone a few changes. The dreadful note that serves as both notification and instruction for the malware’s victims now also contains the discussed encrypted keys (encoded in base64) and the victim’s basic info, which was encrypted with the RC4 algorithm using the hard-coded key “jopochlen” before being encoded with base64.

Figure 9 Ransom note includes encrypted keys and victim data

Nothing much has changed with the GandCrab payment page. As an assurance, they still offer victims with free decryption for one file. However, in our test it was not actually able to decrypt an encrypted file that we uploaded. But regardless of the test’s outcome, victims are still strongly encouraged to not pay the ransom.

Figure 10 Payment page asking for $1000 after a few days
Figure 11 Free decryption from GandCrab payment website results in an error

Conclusion

Although a lot of internal changes have been made to this new version of GandCrab over the last two months, it is still the same active file-encrypting malware that can cause critical damage to those systems that it manages to infect. Even so, this is something that good cyber hygiene can mitigate. In this case, users are also advised to always be extra cautious with files downloaded from the Internet, especially cracked applications. Not only do these violate copyright laws, they also pose a great risk, especially for untrained users.

Currently, the malware is being distributed to compromised sites, and we expect it to move to other modes of distributions, particularly spam campaigns, as it has done in the past.

We didn’t find any network communication with this version. However, at the time of this writing a newer version, GandCrab v4.1 was already being distributed after only a day or two since v4.0 was released. Based on our brief analysis, this new version now includes some network communication functionality. We’ll be releasing a separate article discussing this late-breaking development.

As always FortiGuard Labs will keep monitoring this malware for any updates.

-= FortiGuard Lion Team =-

 

Solution

Currently, creating an <8hex-chars>.lock file in the system’s COMMON APPDATA folder can prevent this malware from infecting the system. However, this should not be treated as a permanent solution since the check can be easily removed by the threat actors, especially for an actively updated malware like GandCrab.

Fortinet customers are protected by the following:

·       Samples are detected by the heuristic detection W32/GandCrypt.CHT!tr

·       The compromised websites we observed are already categorized as malicious by our FortiGuard Web Filtering

·       FortiSandbox rates the GandCrab’s behaviour as high risk

IOCs

6c1ed5eb1267d95d8a0dc8e1975923ebefd809c2027427b4ead867fb72703f82 (packed) –
W32/GandCrypt.CHT!tr

15d70bdbf54b87440869a3713710be873e595b7e93c0559428c606c8eec1f609 (unpacked) -
W32/GandCrypt.CHT!tr

 

Learn more about our global threat research:

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.

Join the Discussion