New Marsilia Ransomware Downloader Found
Overview
This week, the SonicWall Capture Labs threat research team analyzed a sample of Marsilia malware, also known as Mallox. This is a multi-stage sample that, when functional, will have a first stage that enumerates system information and creates persistence. The second stage is then downloaded and will perform data extraction and encryption for ransomware purposes.
Technical Analysis
The sample is detected as a .NET binary protected with SmartAssembly, although the main parts of the files’ operations are still in plaintext.
Figure 1: Sample detection
Figure 2: Plaintext address in strings
Running de4dot to remove SmartAssembly changes very little in terms of function readability.
Figure 3: Before (red) and after (green) deobfuscation
During runtime, the malware will query the system volumes and install persistence using the following registry key:
‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate’ .
Language, locale, and security (WMI) registry keys are enumerated through as well as application logs for virtual environment strings. During testing, most keys were not on the target system. The application sets the threads in memory with write watch and enables debug mode to check for analysis tools. It can also sleep for extensive periods as an evasion technique.
Figure 4: Sample will enumerate through languages, locales
Figure 5: Using WMI to enumerate for system applications and devices
Figure 6: Time to sleep after sustained connection failure, in seconds
During testing, the sample bound itself to ports 49729 – 49970 and reached out to the following address:
- https://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4
A connection is established and the malware will attempt to connect constantly. At the time of writing, this page currently results in a 403/Not Found and does not download a payload.
Figure 7: Active connection established
Figure 8: Sample attempts a connection multiple times per second
Figure 9: Directly going to the page leads to a ‘Not Found’ page
However, when the sample is not running, the connection is actively refused. This indicates that the ‘Not Found’ page is likely activated and not an actual 403/Not Found page. OSINT research shows that the IP has been used with a variety of other malware families, including AgentTesla, XmRig, AveMaria and others.
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- MalAgent.Marsilia
IOCs
- 36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7
- http://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4
- http://163.5.169[.]28/cmt.exe
- http://163.5.64[.]41/test.exe
