Rekensom Ransomware actively spreading in the wild

/in /by

SonicWall Capture Labs Threat Research Team recently found a new RekenSom Ransomware.

Injection Cycle.

At the onset of execution, a named mutex “Rekensom” is created to ensure only one instance of the sample is running.

To get the most CPU cycles, it sets thread priority to highest.

Adding an entry to the “RunOnce” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.

This particular variant targets logged-in user’s Desktop folder. Files with specific file extensions from the Desktop folder are chosen for encryption.

It uses symmetric encryption algorithm AES for encrypting the target files. Plaintext buffer is populated first with the file’s content followed by the name of the file which is being encrypted

Infected files are later renamed to “Encrypted{variable}.som”. The variable component only contains ‘-‘ character and the length could vary from 6 to 12 characters.
Because of this code flaw, only ‘6’ files could be recovered as other files would be overwritten.

Waiting time of 500 ms has been added before the next file is targeted, this could help evade some behavioral detection technologies.

And once all the file are encrypted it displays the below note.

Some part of the code has been used from the OpenSource Ghack ransomware project, which is still available on GitHub.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: MalAgent.H_16015 (Trojan)

This threat is also detected by SonicWALL Capture ATP.

CoronaVirus Ransomware

/in /by

SonicWall Capture Labs Threat Research Team has observed a ransomware taking advantage of the Coronavirus fear. As the world battles and seeks more information about the novel CoronaVirus , attackers are finding news news to take advantage of this.This particular ransomware threatens the user that CoronaVirus is here and  should pay money to get rid of it .

Infection Cycle:
The ransomware does the following:
It encrypts and zips the files and renames it to coronaVi2022@protonmail.ch__<filename>.

It changes the drive name to CoronaVirus


It drops CoronaVirus.txt in each and every folder of the infected system.

Modifies the following registry keys

Adds the following registry keys

The malicious sample shows following ransom message.

It waits for 20 mins before it restarts the victim’s machine and displays another ransom note.

Taking a closer look at the ransomware sample its a 32 bit binary .

Dissembling the code to find it modifies the BootExecute information, adds Email and BTC wallet information.

IOC

3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

This threat is also detected by SonicWALL Capture ATP.

Malware families coverage: Misusing Coronavirus disease [COVID-19] scare

/in /by

While the world is suffering from Coronavirus disease (COVID-19) pandemic, malware authors are not missing their chances to take advantage from the pandemic scare and making the situation worse for the people. The SonicWall Threats Research team first observed the corona scares used by malware authors on February 4, 2020 and then keeping an eye on the campaign. We observed that COVID-19 scare is not only used by one malware family, perhaps multiple malware families are using the scare to get into the victim’s machine. The malware authors majorly distributing the malware files as an email attachment, stating it as COVID-19 related document. We have listed malware families which are misusing COVID-19 scare since Jan 2020.

 

GOZ InfoStealer:

The GOZ InfoStealer is known for stealing user data from installed applications, along with victim’s system information, which is then sent to the threat actor over Simple Mail Transfer Protocol.

SHA256 faa7e2cbf2174401e13e18eaf50e43268db358a05d38c7c4bdbd9968e7f91221
Archive Name Executable Name Date
CoronaVirus_Safety_Measures.rar CoronaVirus_Safety_Measures.exe 5-Feb-2020
SHA256 cf8ff986bb8b64d1f310ea6c3bb42aee2d2ca25478dfcfca55764880129ca8a2
Archive Name Executable Name Date
FYR_COVID-19.CAB; COVID-19.exe 13-Mar-2020
SHA256 6bd5f8e80baeec88c836e465f39f779f4f638d538511c0f5effd3c7043ddad16
Archive Name Executable Name Date
Coronavirus (COVID-2019) Safety Measures.gz Coronavirus (COVID-2019) Safety Measures.exe 16-Mar-2020
SHA256 c172d41be2a7644dca00fac50821d7f783eddc662c4f2409a60ce193fb6fb72d
Archive Name Executable Name Date
Coronavirus (COVID-2019) Safety Measures(2).7z Coronavirus (COVID-2019) Safety Measures(2).exe 16-Mar-2020
SHA256 05da803235e16b1e372d722956b1626cc52b6947af53063259a4ef58ab8bb8c9
Archive Name Executable Name Date
COMUNICAT AGC COVID-19.tar COMUNICAT AGC COVID-19.exe 17-Mar-2020
SHA256 07279fec6937f9a4bdc913fc59c41f66fe30e9b575e999bad5ff5d03697218cc
Archive Name Executable Name Date
2020-03-17 COVID-19 Client Communication_VA.pdf.gz 2020-03-17 COVID-19 Client Communication_VA.pdf.exe 17-Mar-2020
SHA256 2d0b6f68767b4a71950fa19852bf10c78ea5de5b79552e2b0cfad217358df9cd
Archive Name Executable Name Date
dpcm 17-3-2020- COVID-19_pdf.rar dpcm 17-3-2020- COVID-19_pdf.exe 17-Mar-2020
SHA256 4b6e683ba34dfbd3d07ff18667cfaed341357d8839d10749bef31c05288a5690
Archive Name Executable Name Date
2020-03-17 COVID-19 Client Communication_VF.pdf.gz 2020-03-17 COVID-19 Client Communication_VF.pdf.exe  17-Mar-2020
SHA256 c89f28698c375ff47ac444eb912bd51cdedc28a934bcd5b83fbea3770e68e5fc
Archive Name Executable Name Date
Covid-19_Precaution.rar; Covid-19_Precaution.exe  17-Mar-2020
SHA256 ca70837758e2d70a91fae20396dfd80f93597d4e606758a02642ac784324eee6
Archive Name Executable Name Date
 17-Mar-2020
SHA256 e52d171b0a4b6a14374ac9d53c5950815b5a0cc5ad0f479ba044621b6a86d5c7
Archive Name Executable Name Date
W.H.O CUSTOMER ADVISORY COVID19.ace W.H.O CUSTOMER ADVISORY COVID19  17-Mar-2020
SHA256 e52d171b0a4b6a14374ac9d53c5950815b5a0cc5ad0f479ba044621b6a86d5c7
Archive Name Executable Name Date
W.H.O CUSTOMER ADVISORY COVID19.ace W.H.O CUSTOMER ADVISORY COVID19  17-Mar-2020
SHA256 0fdd79e3372701bf0f9c3e8ba30d72444000787993a7815764bc2b5693eebd40
Archive Name Executable Name Date
COVID- 19.tar COVID- 19.exe 18-Mar-2020
SHA256 2c464648ff97fd39dab054d0c3e1bd249e244fcc975b697e312796669c7763f1
Archive Name Executable Name Date
NA Covid 19 Immunity Tips.exe 18-Mar-2020
SHA256 15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b
Archive Name Executable Name Date
Greek Greek 18-Mar-2020
SHA256 43670ae43df9e361fa15f09f611da32db104ee207ed5af3e7e7f098ad82a68e0
Archive Name Executable Name Date
COVID-19 WHO RECOMENDED V.gz COVID-19 WHO RECOMENDED V.exe 18-Mar-2020
SHA256 56552bdb4519ca608e20f4dde940a92353b5cde990cc93ad6e739602e0f09b7a
Archive Name Executable Name Date
#0302019 ITEMS SPECIFICATION.tar Solution_to_coronavirus.exe 18-Mar-2020
SHA256 b90ace49508a1cd157cb8885656dcef062d69cf9e9bc5dac87802487b21ddf78
Archive Name Executable Name Date
CIRCULAR MEDIDAS EXTRAORDINARIAS CORONAVIRUS.tar CIRCULAR MEDIDAS EXTRAORDINARIAS CORONAVIRUS.exe 19-Mar-2020

 

Remcos RAT:

REMCOS designed as Remote Control and Surveillance tool for legitimate purpose but it is being used by malware authors from a few years. The malware gathers and sends victim’s system information to its Command and Control (C&C) server and it is also capable of performing the tasks below:

  • Screen Capture
  • Remote CommandLine
  • Remote Registry Editor
  • Download, Upload and Execute files
  • Login cleaner
SHA256 d3cfdfed59ecbe333cc589d88151565721ad55c9ef5542c680fb5077d411386c
Archive Name Executable Name Date
CORONA VIRUS 1.uue CORONA VIRUS 1.exe  19-Feb-2020

 

NanoCore RAT:

NanoCore Remote Access Trojan (RAT) is known for spying and stealing victim’s machine information:

SHA256 87befa6cb254eee8f9d45671d8dbb015fbd8b04230fd590f084bcd26242930c8
Archive Name Executable Name Date
CORONA VIRUS 2.uue CORONA VIRUS 2.exe  19-Feb-2020

After looking into the delivery patterns and agent files involved in executing the Remcos and NanoCore on victim’s machine, we can say the malware families have somehow linked to each other.

 

NetWire RAT:

NetWire RAT enables access to the victim’s machine from the remote host:

SHA256 db5038d60d1f0ee2f57fe0b3ee12f80ff10a90e088bd3316632036f4238823bf
Archive Name Executable Name Date
UNICEF COVID-19 APP.arj UNICEF COVID-19 APP.exe  16-Mar-2020

 

HawkEye RebornX:

HawkEye has been active in the wild from the last few years. It has the features below:

  • Key-logging
  • Password stealing
  • Screen capture
  • Clipboard
SHA256 f3eac3b0b250ae5da352a6d1358e9729e79af9549bc04f53d83283b5b07679fd
Archive Name Executable Name Date
Coronavirus Disease (COVID-19) CURE.rar Coronavirus Disease (COVID-19) CURE.exe  19-Mar-2020
SHA256 d4bf55a016c9d5bf28b4945c682e5f998efddbffe5578600a070da12eb985d78
Archive Name Executable Name Date
Coronavirus Disease (COVID-19) CURE.rar Coronavirus Disease (COVID-19) CURE.exe  19-Mar-2020

 

Unclassified InfoStealer:

This InfoStealer’s behavior is very much similar to GOZ InfoStealer, it steals user data from installed application and clipboard:

SHA256 9df044870a8aaae7c5d11307f3bfb15887e5836a4e9cb5b6962cfddd7f8f7396
Archive Name Executable Name Date
Document Arrival COVID-19 Detection.zip Document Arrival COVID-19 Detection.zip  17-Mar-2020

 

Evidence of the detection by RTDMI(tm) engine for each malware family can be seen below in the Capture ATP reports:

GOZ InfoStealer

Remcos RAT

NanoCore RAT

NetWire RAT

HawkEye Reborn

How to Protect Your Business During a Global Health Crisis

/0 Comments/in /by

While governments and healthcare organizations work to contain and stop the spread of the novel coronavirus pandemic (COVID-19), businesses are working to keep employees safe and operations running. Consider these best practices when challenged by disaster or unforeseen circumstances.

Expand your remote workforce, securely

Organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. Increasingly, this is becoming a mandated policy and potentially the sign of a new remote future.

Precautions like these, however, are causing unexpected increases in mobile and ‘work-from-home’ employees; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

For this reason, security-conscious organizations should have scalable secure mobile or remote access solution in place (e.g., VPN) that can accommodate an influx of users (and the respective license requirements).

Review your business continuity plan

Disaster strikes in all forms. Whether malicious cyberattacks, inclement weather, power outages or pandemic, organizations should have built-in scenarios that help ensure business continuity in the face of uncertainty.

Organizations, SMBs and enterprises are encouraged to review their business continuity plans on a yearly basis. This should account for everything for communication channels, leadership, infrastructure, technology and more. Reference SonicWall’s ‘5 Core Practices to Ensure Business Continuity” as a helpful primer.

Defend against fear-based cyberattacks

Cybercriminals know how to successfully capitalize on trends, fears and human behavior. And the coronavirus outbreak is a prime opportunity for them to launch fear-based phishing campaigns, mobile malware, social-engineering attacks and more.

A range of phishing attacks were launched to take advantage of coronavirus fears, including phishing emails appearing to come from the World Health Organization. Organizations should ensure they have strong secure email security in place to mitigate aggressive phishing attacks.

In cases where phishing links are clicked by employees, staff, partners and contractors, cloud application security, Office 365 security and advanced endpoint protection solutions are required to mitigate malware from compromising networks or stealing credentials.

Protect your many endpoints

The new normal has waves of remote employees roaming outside the safety of the network perimeter. In some cases, this is a new experience and they may behave in the same manner as if they were protected by network security controls.

Organizations need to be prepared for an influx of attacks impacting endpoints. A single employee — either working remotely or bored from mandated quarantine — could click a phishing link that could lock data via ransomware, steal credentials or gain access to the corporate network.

A sound security strategy for remote workforces always includes proactive endpoint protection (or next-generation antivirus) that mitigates attacks before, during and after they execute. More advanced approaches include automated rollback to return infected Windows PCs to a previously clean state.

Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers via deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes aggressive discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

  • Free Secure Mobile Access (SMA) virtual appliance
  • Aggressive discounts on Capture Client endpoint protection
  • Aggressive discounts on Cloud App Security
  • Aggressive discounts on support contracts and Remote Implementation Services when you bundle a virtual appliance
  • New 30- and 60-day VPN spike licenses for existing SMA 100 and 1000 series customers

Current State of CoronaVirus related threats

/in /by

This blog entry contains a constantly updated list of CoronaVirus related threats covered by the SonicWall Capture Labs Threats Research team:

Android CoronaVirus Ransomware comes bundled with decryption code (March 23, 2020)

  • IOCs:
    • d1d417235616e4a05096319bb4875f57
  • GAV Signatures :
    • AndroidOS.Decrypt.RSM
    • AndroidOS.CoronaTracker.RSM

 

Found another Remote Access Trojan pretending to be Documentation on Covid19 Response and Preparedness (March 20,2020)

  • GAV Signature:
    • Async.RAT

 

CoronaVirus Ransomware (March 19,2020)

  • IOCs:
    • 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3
  • GAV Signatures :
    • CoronaVirus.RSM
    • CoronaVirus.RSM_2

 

Coronavirus, 8-layer, covid-19, azorult.rk (Mar 16, 2020)

  • IOCs:
    • 987fb7b6c5df647ab92525f083e1dc0f
  • GAV Signatures :
    • GAV: Azorult.RK (Trojan)

 

Misinformaiton related to CoronaVirus is being used to further propagate malicious android RAT (Mar 14, 2020)

  • IOCs:
    • 599db33d534d1e98ea63dd2ce30100a7
  • GAV Signatures :
    • AndroidOS.CoronaVirus.Spy (Trojan)

 

The Covid-19 hoax scareware (Mar 13,2020)

  • GAV Signatures :
    • Scareware.CoVid_A (Trojan)

 

CoronaVirus themed Android RAT on the prowl (Feb 26, 2020)

  • IOCs:
    • b8328a55e1c340c1b4c7ca622ad79649
    • ba6f86b43c9d0a34cfaac67f933146d6
  • GAV Signatures :
    • AndroidOS.CoronaVirus.Spy (Trojan)

 

Threat actors are misusing CoronaVirus scare to spread malicious executable (Feb 5,2020)

  • IOCs:
    • 4d30ea0082881d85ff865140b284ec3f

 

Google Sites are being abused by Grandoreiro banking trojan to host its C&C server address

/in /by

SonicWall RTDMI ™ engine has recently detected VBScript file inside an archive that downloads and executes Grandoreiro banking trojan to the victim’s machine. The archive file is delivered to the victim’s machine as an email attachment named as “Prueba_de_actividad{random_number}.zip”. Grandoreiro banking trojan is wildly active in Latin America and Europe.

The VBScript file is obfuscated, which decrypts the Pastebin URL “h[t][t]ps://pastebin.com/raw/QNaKaC7p” by adding 11 to each character in the encrypted string to further download and execute second layer VBScript file:

 

Second Layer VBScript:

This VBscript is intended to run on the victim’s machine only once. To achieve that, a folder labeled”%APPDATA%\OLEDAT” is created by the VBscript, if the folder already exists on the victim’s machine, the VBscript terminates its execution. Base64 encoded binary file is downloaded from the URL “h[t][t]p://84.247.51.66:1942/maulostapac1.iso” which is decoded into an archive file and saved to “%APPDATA%\nvrealone\A99449C3092CE70964CE715CF7BB75B.zip”.

The files inside the archive are extracted into “%APPDATA%\nvrealone” and the archive file is deleted. The VBScript iterates files inside “%APPDATA%\nvrealone” and executes files which have extension “exe” or “EXE”, however in the current scenario only one file “mrgunbounds.exe” is extracted from the archive into “%APPDATA%\nvrealone” which is executed by the VBScript:

 

Persistence:

The malware ensures its execution on system start by making registry entries into “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”:

 

Downloading Component Files:

The malware downloads its component file from URL “h[t][t]p://13.68.173.170/losttarcte.zip” and decrypts file content by performing byte XOR with 0xFF. The malware extracts portable executable file from decrypted archive into “AppData\Local\FACEBOOK\ISBBTtoolks.exe” and executes it:

 

Abusing Google Sites:

Google Sites is a structured wiki- and Web page-creation tool offered by Google that allows its users to share the created site for public access. The malware abuses Google Sites to host its Command and Control (C&C) server address:

 

The malware retrieves the C&C address by requesting URL “h[t][t]ps://sites.google.com/view/henriquehjki3nf8” with setting User-Agent as “h55u4u4u5u5ii5”:

 

C&C Communication:

The malware collects victim’s machine’s information like PC name, MAC address, Installation directory, Operating System (OS) information, OS architecture and bot version etc, and sends the information to its C&C server. The current bot version is “Henrique”:

 

The malware retrieves the list of currently connected machines to the bot network. It also has information about the country like ESPANHA (Spain) and PORTUGUAL for some of the connected machines:

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Coronavirus, 8-Layer, COVID-19, Azorult.RK

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in March for the “Corona-virus” binary below. Malware authors have taken advantage of the public’s desire for information on the COVID-19 pandemic since it was first found in December of 2019. Most of the world is in self-isolation currently, so people are under emotional distress searching for news about this new pandemic. This includes installing new applications and/or clicking on hyper-links they may not normally click on during this frightening and hair-raising time.

Just like the Corona-virus, this piece of malware has many layers to it. People often forget how many layers security researchers have to grind through, so today the light shines in the darkness below:

Samples: 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Native Win32 binary.

Command-line static information:

Main starting routine and flowchart:

Static Resources:

Static Strings:

Compiler Information: Embarcadero Delphi for Win32 compiler version 33.0 (26.0.32429.4364)

Samples: 1st layer, Dynamic Information:

Starting Second Stage, by CreateProcessW:

Samples: 2nd Layer, Static Information:

Looking at the second layer in CFF Explorer, checking for corruption. The second layer is a Native Win32 binary.

Second layer, Command-line static information:

Second layer, Main starting routine and flowchart:

Static Resources, Binary 1 Found:

Static Resources, Binary 2 Found:

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Native Win32 binary.

Third layer, Command-line static information:

Third layer, Main starting routine and flowchart:

Third layer, Static Resources:

Samples: 4th Layer, Static Information:

Looking at the fourth layer in CFF Explorer, checking for corruption. The fourth layer is a Native Win32 binary.

Fourth layer, Command-line static information:

Fourth layer, Main starting routine and flowchart:

Fourth layer, Static Resources:

Samples: 5th Layer, Static Information:

Extracting the WinRAR SFX:

Batch File:

The -p parameter stands for password, -d parameter stands for directory.

Looking at the fifth layer in CFF Explorer, checking for corruption. The fifth layer is a Native Win32 binary.

Fifth layer, Command-line static information:

Extracting:

Using the password above, we now have a new layer, layer 6:

Samples: 6th Layer, Static Information:

Looking at the sixth layer in CFF Explorer, checking for corruption. The sixth layer is a Native Win32 binary.

Sixth layer, Command-line static information:

Sixth layer, Main starting routine and flowchart:

Sixth layer, Static Resources:

Samples: 7th Layer, Static Information:

Looking at the seventh layer in CFF Explorer, checking for corruption. The seventh layer is a Native Win32 binary.

Seventh layer, Command-line static information:

Seventh layer, Main starting routine:

Seventh layer, Static Resources:

Samples: 7th Layer, Dynamic Malware Analysis

We start to see the light emerge from darkness in the seventh layer, a request is being crafted:

Lets trap the request (POST REQUEST):

(POST RESPONSE):

We can see the same requests in Procmon:

What is sent is overall statistics and metrics designed around every piece of hardware your machine has physically installed along with usernames and hostnames among much much more. This is all done by the use of a cookie below that is encrypted and compressed:

Samples: 8th Layer, Static Information:

Looking at the eighth layer in CFF Explorer, checking for corruption. The eighth layer is a Native Win32 binary.

Eighth layer, Command-line static information:

Eighth layer, Main starting routine:

Eighth layer, Static Resources:

Samples: 8th Layer, Dynamic Information:

GUI of 8th Layer:

Network Connections:

Click the picture below, to see the Remote Addresses:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

Summary:

As you can see above, malware today use many layers. I could have added even more layers. Total there are close to 12 layers in this piece of malware. Unfortunately, for the standard user there is no way to tell how many layers are involved when you click install on your favorite application. You have to trust the designer of the installer. Well, malware authors abuse this trust as shown above.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Azorult.RK

Appendix

Sample Hash: f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71

Misinformaiton related to CoronaVirus is being used to further propagate malicious Android RAT

/in /by

SonicWall Threats Research Team recently blogged about an Android RAT that uses the CoronaVirus name in an attempt to lure victims. We found a website that currently serves (at the time of writing this blog) an Android RAT belonging to the same family.

Propagation Mechanism

The attackers have created a website that spreads misinformaiton about CoronaVirus. They aim to attract new victims via download links on these websites.

We found two versions of this website, one in English and another in Turkish which serve the apk named corona.apk on clicking the on Google Play image:

  • English version: hxxps://coronaviruscovid19-information.com/en/

 

  • Turkish version: hxxps://coronaviruscovid19-information.com/tr/

 

Whois details reveal that the website was hosted recently:

The website has already been marked malicious on VirusTotal:

 

Sample analysis and details

A more thorough detail of this type of sample has been highlighted in our previous blog. Few highlights of the infection cycle for this type of sample are listed below.

Sample details:

  • Package Name: cpymezxmapzsdforaduuda.illoyztchthogekxpd.fojccdfkzahlhfmcaeowdalsjp
  • App Name: Google Play
  • MD5: 599db33d534d1e98ea63dd2ce30100a7

The sample gets installed by the name of “Google Play”. Upon installation and execution the sample requests for Accessibility services:

 

Upon downloading the apk file and examining the code we see a similar structure to the one we outlined in the previous blog. As shown below, the class files mentioned in the Manifest.xml file are not present in the code, which means they are loaded during runtime:

 

When the sample executes a .json file is dropped on the system which is actually a dex file, in this case the name of the files is Tp:

On loading this .dex file we finally see the class files and the code.

 

Capabilities

As stated in the previous blog this sample is an Android RAT and can perform a number of malicious operations, few of these functions include:

  • Get information about the device
  • Get a list of apps installed
  • Allow remote control of the device via teamviewer
  • Steam Gmail password, lock pattern
  • Keylogger
  • Upload files
  • Steal SMS messages, contacts
  • Disable Play Protect

 

Interesting Observation

Inspection of the source of revealed something interesting. We observed a comment that states – Copied from http://turkcell20gb.com/tr/ by Cyotek WebCopy сентября 2019  (September 2019):

 

There is a lot of misinformation and panic surrounding CoronaVirus. We would like to re-iterate that there are no mobile apps that can track CoronaVirus infections or point to a vaccine. Please exercise caution when absorbing any information related to CoronaVirus.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.CoronaVirus.Spy (Trojan)

 

Update – March 23,2020

We have consolidated the detection into a single signture instead of the two signatures listed earlier. The new signature is GAV: AndroidOS.CoronaVirus.Spy

The Covid-19 Hoax Scareware

/in /by

SonicWall Capture Labs Threat Research Team observed another malware taking advantage of the COVID-19(Coronavirus) fear. We have already highlighted malware in our blogs that uses Covid-19 name to spread further.

The sample pretends to be a ransomware by displaying ransom note as shown below though in reality it does not encrypt any file.

Upon execution, it adds a run entry for persistence.

To scare the victim, a number of security warning messages are displayed as shown below:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Scareware.CoVid_A (Trojan)

This threat is also detected by SonicWALL Capture ATP.

Legion Ransomware variant, King Ouroboros charges $3000 for file recovery

/in /by

The SonicWall Capture Labs Threat Research Team have been observing a family of ransomware called Ouroboros.  The malware became prominent around late 2019 and has undergone various transformations over the last few months.   It is based on Legion ransomware which originates from Russia.  The operators are still currently active via email and the malware’s infection reporting server is still online.

Infection Cycle:

Upon infection, files on the system are encrypted and the following message is displayed on the desktop:

 

Encrypted files are given the following file name extension:

.Email=[josefrendal797@gmail.com]ID=[QMXJ6PHG02ILSKF].odveta

 

The presence of the following string in the binary confirms that this variant of the malware is based on Legion:

C:\Users\LEGION\Desktop\New folder\rijndael_simd.cpp

 

The malware obtains the public IP address of the infected machine:

 

The infection is reported to the malware operators:

 

The above request yields the following response:

 

The following commands are executed to disable any running databases and firewalls:

net stop "SQLWriter"
net stop "SQLBrowser"
net stop "MSSQLSERVER"
net stop "MSSQL$CONTOSO1"
net stop "MSDTC"
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
net stop "SQLSERVERAGENT"
net stop "MSSQLSERVER"
net stop "vds"
netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disable

 

The following files are dropped onto the system:

  • %ProgramData%\info.txt
  • %ProgramData%\uiapp.exe [Detected as: GAV: Legion_RSM_2 (Trojan)]
  • %ProgramData%\Unlock-Files.txt (also copied to every directory containing encrypted files)

 

Unlock-Files.txt contains the following message:

 

We emailed the operators as instructed in the ransom message and had the following conversation with them via email:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Ouroboros.RSM (Trojan)
  • GAV: Legion.RSM (Trojan)
  • GAV: Legion.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.