Emsisoft Specialists Discovered Javascript Extortionist
Emsisoft specialists discovered an extortioner malware written in JavaScript. It was named Ransom32 and is used by attackers for malicious campaigns, similar to the distribution of many other families of this type of malware. The attackers chose a high level of anonymity for working with Ransom32, the extortioner uses the anonymous Tor network to communicate with their C & C server manager, and the ransom payment is made in bitcoins.
Using JavaScript makes the ransomware cross-platform, it can be used for both Microsoft Windows and Linux and Apple OS X. The key feature of Ransom32 is the distribution model of this ransomware for cybercriminals. It is a Software as a service (SaaS) model, while in order to gain access to the administrative control panel of the malicious program and its generation, they only need to specify the address of their Bitcoin wallet.
')
Fig. Ransom32 ransomware control panel. It can be seen that the address of the operator’s (owner’s) e-wallet, statistics of infected computers, the amount of funds already received from the users, and the settings of the malicious program are indicated there. (Emsisoft data).
After clicking on the “Download client.scr” button, an archive of the malicious program files with the parameters specified in the control panel will be generated for the operator. This archive has a substantial size that is over 22MB. The size clearly exceeds the one that is commonly used for other malware files and, as a rule, does not exceed 1MB.
Fig. Ransomware files inside a self-extracting SFX archive.
The malicious program uses the WinRAR scripting language to automatically unpack the contents of the archive into the directory with the user's temporary files, then the chrome.exe file is launched for execution. The purpose of the files from the archive is as follows.
Fig. Malware configuration file in JSON format.
Files NW.js is a special environment that allows you to develop JavaScript applications for Windows, Linux, OS X. The environment is based on the popular Node.js and Chromium platforms. Using it, the developer can integrate his script into the application for any of these platforms. Thus, attackers can simply adapt the extortionist for Linux and OS X platforms.
After executing the ransomware file in the system, it will extract all the above listed files into the directory with temporary files. Next, it copies itself to the% AppData% \ Chrome Browser directory. The s.exe file is used to create a shortcut in the user's autorun directory called “ChromeService”. Next, the malware launches the Tor client file to establish a connection with its C & C server on port 85. After connecting to the server, the extortionist displays a redemption message to the user.
Fig. A message demanding redemption.
After that, Ransom32 starts the file encryption procedure for the following extensions.
* .jpg, * .jpeg, * .raw, * .tif, * .gif, * .png, * .bmp, * .3dm, * .max, * .accdb, * .db, * .dbf, *. mdb, * .pdb, * .sql, *. * sav *, *. * spv *, *. * grle *, *. * mlx *, *. * sv5 *, *. * game *, *. * slot *, * .dwg, * .dxf, * .c, * .cpp, * .cs, * .h, * .php, * .asp, * .rb, * .java, * .jar, * .class, * .aaf, * .aep, * .aepx, * .plb, * .prel, * .prproj, * .aet, * .ppj, * .psd, * .indd, * .indl, * .indt, *. indb, * .inx, * .idml, * .pmd, * .xqx, * .xqx, * .ai, * .eps, * .ps, * .svg, * .swf, * .fla, * .as3, * .as, * .txt, * .doc, * .dot, * .docx, * .docm, * .dotx, * .dotm, * .docb, * .rtf, * .wpd, * .wps, *. msg, * .pdf, * .xls, * .xlt, * .xlm, * .xlsx, * .xlsm, * .xltx, * .xltm, * .xlsb, * .xla, * .xlam, * .xll, * .xlw, * .ppt, * .pot, * .pps, * .pptx, * .pptm, * .potx, * .potm, * .ppam, * .ppsx, * .ppsm, * .sldx, *. sldm, * .wav, * .mp3, * .aif, * .iff, * .m3u, * .m4u, * .mid, * .mpa, * .wma, * .ra, * .avi, * .mov, * .mp4, * .3gp, * .mpeg, * .3g2, * .asf, * .asx, * .flv, * .mpg, * .wmv, * .vob, * .m3u8, * .csv, *. efx, * .sdf, * .vcf, * .xml, * .ses, * .dat
At the same time, Ransom32 does not attempt to encrypt files in directories that contain the following lines in the titles.
File encryption is performed using AES symmetric algorithm and a 128-bit key in block CTR mode . A new encryption key is generated for each file. The key is encrypted using the RSA algorithm and a public key that is downloaded from the management server during the first connection.
Fig. A fragment of the network interaction between the malware and the C & C server, when the latter sends the RSA public key (the key length is marked yellow, the key is green) in response to sending the bitcoin wallet address (purple).
The AES key encrypted with the public key is stored along with the data of the encrypted file. The malware also offers the victim to decrypt a single file to demonstrate that attackers can actually decrypt the files. At the same time, the malicious program will send an encrypted AES key of the specified file to the management server and will receive a decrypted version of the key.
To protect our data from this type of malware, we recommend regularly updating the operating system, timely backing up data and using antivirus software.
Using JavaScript makes the ransomware cross-platform, it can be used for both Microsoft Windows and Linux and Apple OS X. The key feature of Ransom32 is the distribution model of this ransomware for cybercriminals. It is a Software as a service (SaaS) model, while in order to gain access to the administrative control panel of the malicious program and its generation, they only need to specify the address of their Bitcoin wallet.
')
Fig. Ransom32 ransomware control panel. It can be seen that the address of the operator’s (owner’s) e-wallet, statistics of infected computers, the amount of funds already received from the users, and the settings of the malicious program are indicated there. (Emsisoft data).
After clicking on the “Download client.scr” button, an archive of the malicious program files with the parameters specified in the control panel will be generated for the operator. This archive has a substantial size that is over 22MB. The size clearly exceeds the one that is commonly used for other malware files and, as a rule, does not exceed 1MB.
Fig. Ransomware files inside a self-extracting SFX archive.
The malicious program uses the WinRAR scripting language to automatically unpack the contents of the archive into the directory with the user's temporary files, then the chrome.exe file is launched for execution. The purpose of the files from the archive is as follows.
- "Chrome" contains a copy of the GPL license agreement.
- “Chrome.exe” is an NW.js application and contains malware code as well as the framework necessary for its success.
- "Ffmpegsumo.dll", "nw.pak", "icudtl.dat" and "locales" contain the data that the NW.js environment needs to work.
- “Rundll32.exe” is a renamed copy of the Tor client file.
- “S.exe” is a renamed copy of the Optimum X Shortcut tool file, which is used to create and manage shortcuts on the desktop and the start menu.
- “G” is the configuration file of the malicious program for which the data was specified in the control panel.
- "Msgbox.vbs" is a small script that displays custom popup text (popup).
- "U.vbs" is a small script that retrieves a list of all files in the specified directory and deletes them.
Fig. Malware configuration file in JSON format.
Files NW.js is a special environment that allows you to develop JavaScript applications for Windows, Linux, OS X. The environment is based on the popular Node.js and Chromium platforms. Using it, the developer can integrate his script into the application for any of these platforms. Thus, attackers can simply adapt the extortionist for Linux and OS X platforms.
After executing the ransomware file in the system, it will extract all the above listed files into the directory with temporary files. Next, it copies itself to the% AppData% \ Chrome Browser directory. The s.exe file is used to create a shortcut in the user's autorun directory called “ChromeService”. Next, the malware launches the Tor client file to establish a connection with its C & C server on port 85. After connecting to the server, the extortionist displays a redemption message to the user.
Fig. A message demanding redemption.
After that, Ransom32 starts the file encryption procedure for the following extensions.
* .jpg, * .jpeg, * .raw, * .tif, * .gif, * .png, * .bmp, * .3dm, * .max, * .accdb, * .db, * .dbf, *. mdb, * .pdb, * .sql, *. * sav *, *. * spv *, *. * grle *, *. * mlx *, *. * sv5 *, *. * game *, *. * slot *, * .dwg, * .dxf, * .c, * .cpp, * .cs, * .h, * .php, * .asp, * .rb, * .java, * .jar, * .class, * .aaf, * .aep, * .aepx, * .plb, * .prel, * .prproj, * .aet, * .ppj, * .psd, * .indd, * .indl, * .indt, *. indb, * .inx, * .idml, * .pmd, * .xqx, * .xqx, * .ai, * .eps, * .ps, * .svg, * .swf, * .fla, * .as3, * .as, * .txt, * .doc, * .dot, * .docx, * .docm, * .dotx, * .dotm, * .docb, * .rtf, * .wpd, * .wps, *. msg, * .pdf, * .xls, * .xlt, * .xlm, * .xlsx, * .xlsm, * .xltx, * .xltm, * .xlsb, * .xla, * .xlam, * .xll, * .xlw, * .ppt, * .pot, * .pps, * .pptx, * .pptm, * .potx, * .potm, * .ppam, * .ppsx, * .ppsm, * .sldx, *. sldm, * .wav, * .mp3, * .aif, * .iff, * .m3u, * .m4u, * .mid, * .mpa, * .wma, * .ra, * .avi, * .mov, * .mp4, * .3gp, * .mpeg, * .3g2, * .asf, * .asx, * .flv, * .mpg, * .wmv, * .vob, * .m3u8, * .csv, *. efx, * .sdf, * .vcf, * .xml, * .ses, * .dat
At the same time, Ransom32 does not attempt to encrypt files in directories that contain the following lines in the titles.
- : \ windows \
- : \ winnt \
- programdata \
- boot \
- temp \
- tmp \
- $ recycle.bin \
File encryption is performed using AES symmetric algorithm and a 128-bit key in block CTR mode . A new encryption key is generated for each file. The key is encrypted using the RSA algorithm and a public key that is downloaded from the management server during the first connection.
Fig. A fragment of the network interaction between the malware and the C & C server, when the latter sends the RSA public key (the key length is marked yellow, the key is green) in response to sending the bitcoin wallet address (purple).
The AES key encrypted with the public key is stored along with the data of the encrypted file. The malware also offers the victim to decrypt a single file to demonstrate that attackers can actually decrypt the files. At the same time, the malicious program will send an encrypted AES key of the specified file to the management server and will receive a decrypted version of the key.
To protect our data from this type of malware, we recommend regularly updating the operating system, timely backing up data and using antivirus software.
Source: https://habr.com/ru/post/274447/
All Articles