Payola ransomware operator demands remote access to PC
The Sonicwall threat research team have recently been tracking a new ransomware family called Payola. This family of ransomware appeared in late August 2023. It is written in .NET and is easy to analyze as it contains no obfuscation. Early variants would append ".Payola" to the names of encrypted files but the current variants use 5 random alphanumeric characters. During a direct conversation with the malware operator, remote access to our system was requested in order to retrieve files.
Infection Cycle:
The malware uses the following icon:
Upon execution, the following message is shown on the desktop background:
Files on the system are encrypted. Each encrypted file is given a 5 character alphanumeric extension appended to its name eg. image.jpg.PTebc.
The following registry entry is made:
- HKCU\Microsoft\Windows\CurrentVersion\Run Readme {run location}
A file named README.html is dropped into directories where files where encrypted. It contains the following message:
The code is written in .NET and is trivial to decompile. We can easily see its main function and the intended program flow:
The RSA public key and salt values can be seen:
The malware contains a list of programs that will be killed if running:
A list of targeted directories and file types are listed in the code:
We followed the instructions in the ransom note and got in touch with the operator. We had the following conversation via email where the operator demanded remote access to our system using Anydesk:
SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Payola.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
Figure 5: A known method of obfuscation is using ‘call-push-ret’
Figure 13: The ASCII plaintext has a ‘hwid’ indicating the encoded system name
Figure 16: Each green arrow represents a decision tree where the program can terminate
Figure 17: Partial list of decoded commands
If the SOCKS5 server is delayed in its response, the curl state machine returns with the local resolver selected, but the next time the curl state machine is called, it has no knowledge of the hostname’s length. It now tries first to resolve the name using the remote resolver by building a protocol frame in a memory buffer assuming the name is less than 255 bytes and then copying the destination hostname to the too-small buffer. It\’s also important to consider the conditions which allow this code path to be taken. libcurl uses a variable named CURLOPT_BUFFERSIZE to determine how large to allocate the download buffer. By default, the curl tool sets CURLOPT_BUFFERSIZE to 100kB and is therefore not vulnerable. An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE or set it smaller than 65541. 
Running the same setup with the addition of GDB monitoring curl, it is possible to see the backtrace and exact vulnerability conditions. This highlights that the vulnerability exists within the resolvers. 
A segmentation fault occurs when the contents of register $RDI are attempted to be resolved as a pointer. Consider the disassembly from GDB below at the point of the segmentation fault: 
By inspecting the value of $RDI, it is possible to see the heap buffer overflow has caused the register to be overwritten. 
is a command injection attempt that tries to establish a reverse shell connection to the IP address on port 4444. If successful, it would open a shell on the target machine and potentially give the attacker control over it.