Hidden-Tear Kit gives birth to Karmen Ransomware
The SonicWall Threats Research team have recently been tracking a ransomware family known as Karmen. As expected, this ransomware encrypts various files on the system using the AES-256 encryption protocol rendering the files inaccessible until payment is made to the operators. Karmen is reported to be derived from an open source malware project hosted on github.com called Hidden Tear. Such projects make it easy for anyone to become a cyber criminal and generate malicious executable modules that can be used to infect machines on the internet. The first reported infections of this ransomware date back as far as December 2016.
Infection cycle:
The Trojan immediately reports the infection to a remote key server and sends a pregenerated unique ID:
The response is a Bitcoin payment address.
It also makes the following request to retrieve the Bitcoin ransom amount,
It then requests to download the Karmen decrypter program [Detected as GAV: Karmen.RSM_2 (Trojan)]:
Once run, it displays the following window:
The Trojan adds the following files to the filesystem:
- %APPDATA%LocalTempadr.txt
- %APPDATA%LocalTempbtc.txt
- %APPDATA%LocalTempdel.bat
- %APPDATA%LocalTempid.txt
- %APPDATA%LocalTemplnk.txt
- %APPDATA%LocalTempTTX49E1.tmp
- %APPDATA%LocalTempEeGpNYHeR2QcRuKq.exe [Detected as GAV: Karmen.RSM_2 (Trojan)]
The dropped text files contain the following data:
- adr.txt
- btc.txt
- del.bat
- id.txt
- lnk.txt
3A1zX8Vt1WUfxLtAnoo33Zk2Ebikig3RU20.33@echo offtaskkill /f /im EeGpNYHeR2QcRuKq.exedel %APPDATA%LocalTempEeGpNYHeR2QcRuKq.exedel %APPDATA%LocalTemplnk.txtdel %APPDATA%LocalTempbtc.txtdel %APPDATA%LocalTempadr.txtdel %APPDATA%LocalTempdel.batbcjytJMY2daB09http://195.3.144.69/The Trojan periodically sends the following request to the key server:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Karmen.RSM (Trojan)
- GAV: Karmen.RSM_2 (Trojan)
