Over this past Easter weekend, FortiGuard Labs came across a new malicious spam campaign specifically targeting South Korea. What made this campaign unique from others is that it is the first GandCrab 2.0 malspam ransomware campaign that we’ve seen in South Korea targeting organizations in the financial sector. It appears to be originating from the VenusLocker group, which we highlighted in December of last year when we documented that they had switched their game plan from ransomware to cryptocurrency mining. Well, it appears that the VenusLocker group is back in the ransomware game, this time with GandCrab.
GandCrab has become one of the most prominent ransomware threats of 2018. It was first seen in January of this year, and since then multiple reports have stated that GandCrab developers have thus far netted at least $600,000 USD in ransoms. The developers of GandCrab have also incorporated several firsts not previously seen in ransomware threats. For example, they were the first group to accept DASH cryptocurrency. Also, it appears that the developers also use an Agile approach for development. This is a just in time (JIT) development method which, in layman’s terms, means to release a reasonably viable working product to beat competitors to market and then deal with issues and bugs when they arise. Another unique aspect to GandCrab, per various reports, is the developers’ Ransomware as a Service (RaaS) model, which guarantees the authors a split (60/40) between themselves and any bad actor wishing to utilize their services. And finally, a unique feature of GandCrab is the use of .BIT, a TLD that is not recognized by ICANN. Instead, it is served via the NameCoin cryptocurrency infrastructure and uses various .BIT supported nameservers to help resolve DNS and redirect traffic to it.
The Copyright Issue
The malicious spam email containing the ransomware malware is written in Korean, and the contents of the message body contains what appears to be a note from a digital artist/copywriter named “Yoon Soh” who claims that he was truly unaware of any copyright claims that he may have infringed on, and as evidence he has attached his updated artwork, hopefully clearing up any potential legal issues that his original submission may have caused. The attacker is hoping his email is compelling enough to be opened by the recipient, either through curiosity or through a successful social engineering attack.
Rotten Eggs as an Evasion Tactic?
The attachment 이미지 링크정리_180329.egg includes a unique file extension not commonly seen in other parts of the world. The .egg extension is primarily used in South Korea (with a user base in other parts of Asia as well.) It is a compression format similar to .zip, and is is created by ESTsoft, a South Korean software company. The .egg format was designed to support the Unicode (UTF-8) format, which allows a compressed archive to maintain its native compression set, and that can also be used globally for interoperability and compatibility, regardless of the operating system’s language pack installed. According to their website (altools.com), AlZip supports 8 common compression formats - including .zip, .tar, and .egg, to name a few. In order to view the contents of the .egg file, one must download and install AlZip.
File Name: 이미지 링크정리_180329.egg
Image link cleanup_180329.egg
Once installed, we can see that the archive uses an icon that represents a golden egg. One nice feature of this tool is that we can peek inside to see that there are four files contained within the archive: three of them appear to be impersonating .jpg and .doc files, but are really Windows .lnk (LNK) files (shortcuts)
1. 원본이미지_180329.jpg [Original image _180329.jpg]
2. 사용이미지_180329.jpg [Using Image_180329.jpg]
3. 사이트 링크정리_180329.doc [Organize site links _180329.doc]
These are to be assumed to contain the “artwork” in question, with one ominously named “service.exe” file, which contains the GandCrab ransomware:
During the time of writing, Fortinet is the only vendor detecting the contents within this .egg compression set, thwarting any possible evasion tactic by the attacker. At the time of this writing (04/02) we are still the only vendor able to detect the contents inside of this .egg file as malicious.
Our first definitions for this sample, W32/GenKryptik.BSKT!tr, was first available in our (03/07) definition set, well before this sample was first seen in Virus Total, on (03/30).
Additional Evasive Tactics
Besides the .egg compression tactic used to evade anti-virus tools, the attackers employed other tactics as well. We can see that after extraction, there are four files listed in the tree:
After decompressing, we can view the contents of the folder:
And to our surprise, we can see that there are only three files listed. Where did service.exe file go?:
This is, of course, by design. This is an obvious trick by the attacker to deceive the unsuspecting victim into clicking on those files that appear to be legitimate image/doc files, not knowing they are actually clicking on a shortcut that will execute the service.exe file in the background.
A cursory review of the properties of the .doc file shows us the target ultimately opens the service.exe file:
Since we suspected that the attacker was using evasion tactics, we went ahead and enabled hidden files from within the control panel on Windows 7. [Control Panel/Appearance and Personalization /Show hidden files and folders/Hidden files and folders/Show hidden files, folders, and drives/]
Once we have enabled this function we now can see the hidden service.exe file, which is the infamous GandCrab 2.0 ransomware:
Parsing the LNK files with pylinker reveals the following information. Note that all three LNK files contain the same metadata, and contain references to the Base Path: C:\Windows\System32\cmd.exe, which is another evasion technique,
and when we run SHA256 sum that is built into 7-Zip, we see the following reference for all three files – cmd.exe, and the SHA256 of 17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE, which is a legitimate Windows process:
However, further analysis reveals that the malicious LNK samples have the following values:
1. 원본이미지_180329.jpg [Original image _180329.jpg] b56c70ea3ad94052112644b4817fff0ff11181cea59382dcaa3ccb5edfd4a06d
2. 사용이미지_180329.jpg [Using Image_180329.jpg] b56c70ea3ad94052112644b4817fff0ff11181cea59382dcaa3ccb5edfd4a06d
3. 사이트 링크정리_180329.doc [Organize site links _180329.doc] b932f6ec47605238a94cc08cad10340cff2c2b008c369f7522f9cce9960c156
Also, for reference, the LNK files contain some interesting strings. Note the reference to VenusLocker:
vaddr=0x00000064 paddr=0x00000064 ordinal=000 sz=5 len=4 section=unknown type=ascii string=/C:\
vaddr=0x00000131 paddr=0x00000131 ordinal=006 sz=8 len=7 section=unknown type=ascii string=cmd.exe
vaddr=0x000001a4 paddr=0x000001a4 ordinal=008 sz=28 len=27 section=unknown type=ascii string=C:\Windows\System32\cmd.exe
vaddr=0x0000020d paddr=0x0000020d ordinal=010 sz=100 len=49 section=unknown type=utf16le string=/c service.exe!%SystemRoot%\System32\shell32.dllƧ blocks=Basic Latin,Latin Extended-B
vaddr=0x00000279 paddr=0x00000279 ordinal=011 sz=6 len=5 section=unknown type=ascii string=1SPS0
vaddr=0x0000028d paddr=0x0000028d ordinal=012 sz=20 len=4 section=unknown type=utf32le string=A\nἀᜀ blocks=Basic Latin,Greek Extended,Tagalog
vaddr=0x000002a2 paddr=0x000002a2 ordinal=013 sz=42 len=20 section=unknown type=utf16le string=nusLocker_korean.exe
vaddr=0x00000361 paddr=0x00000361 ordinal=016 sz=34 len=16 section=unknown type=utf16le string=(C:\사용자\l\바탕 화면) blocks=Basic Latin,Hangul Syllables
vaddr=0x000003b4 paddr=0x000003b4 ordinal=019 sz=88 len=43 section=unknown type=utf16le string=\Users\l\Desktop\양진이\VenusLocker_korean.exe blocks=Basic Latin,Hangul Syllables
Figure 14. Interesting strings
Viewing the file in a hex editor reveals the same strings for Venus Locker, another group that we covered back in December of last year in this blog, as noted in the introduction.
Finally, clicking on either one of the three LNK files leads us to execute service.exe, which then makes a call to ipv4bot.whatismyipaddress.com (220.127.116.11) to see if the machine is online. It then makes several calls to ns1.cloud-name.ru to redirect the machine to the .BIT TLD, and finally to http://ransomware.bit/ and zonealarm.bit, where we see the following POST requests:
Along with details from the packet:
And finally, the Ransom note and files encrypted as .CRAB:
Evolving techniques, and just simply understanding your target
Malware developers (and now in this case, attackers using RaaS) have always honed their techniques to evade anti-virus and other security measures by – and not limited to – incorporating packing techniques, padding files, detecting virtual environments, rewriting .js downloaders, etc., in what looks like a sophisticated game of whack-a-mole. As evident in this blog, we are also seeing attackers who understand the nuances of region-specific software and the people who use them as potential targets. These attackers are also incorporating various tried and true tactics in their arsenal to thwart detection, and as a result, eventually succeed in compromising their targets as there are always new vulnerabilities and attack techniques and vectors to incorporate.
FortiGuard Labs has analyzed all samples mentioned in this blog and (AV) detection is in place for the samples as:
W32/GenKryptik.BSKT!tr (Detected within .egg container and GandCrab Ransomware)
LNK/Ransom.A6B9!tr (Malicious LNK files)
Also, all IOC’s mentioned below have been blacklisted by our Web Filtering service.
FortiGuard Labs recommends that users keep their AV and IPS signatures up to date to protect themselves from GandCrab 2.0 and other ransomware variants. FortiGuard Labs does not recommend paying the ransom, and instead recommends proactively creating a regularly scheduled backup plan as a preventative measure against ransomware attacks. FortiGuard Labs also recommends that organizations perform full system backups and storing them offline or off-network as a precautionary measure, as several variants of ransomware have been seen targeting and deleting shadow volume copies as well.
Attachment (.egg container)
Name: 이미지 링크정리_180329.egg [Image link cleanup_180329.egg]
SHA256: 5EB609FC612197C64279E29C841B94A3E077D61106D3EA4D9A112771A5260F79 W32/GenKryptik.BSKT!tr
Files in .egg container:
Name: 1. 원본이미지_180329.jpg [Original image _180329.jpg]
SHA256: b56c70ea3ad94052112644b4817fff0ff11181cea59382dcaa3ccb5edfd4a06d LNK/Ransom.A6B9!tr
Name: 2. 사용이미지_180329.jpg [Using Image_180329.jpg]
SHA256: b56c70ea3ad94052112644b4817fff0ff11181cea59382dcaa3ccb5edfd4a06d LNK/Ransom.A6B9!tr
Name: 3. 사이트 링크정리_180329.doc [Organize site links _180329.doc]
SHA256: b932f6ec47605238a94cc08cad10340cff2c2b008c369f7522f9cce9960c156d LNK/Ransom.A6B9!tr
Name: 4. service.exe
For more information on the Threat Landscape, access our latest Quarterly Threat Landscape report here.