This week, the Sonicwall Capture Labs Research team analyzed the latest Snatch ransomware. Snatch operates as a ransomware-as-a-service (RaaS), a business model where the malware authors lease out the ransomware program to affiliates who then launch the attacks.

Infection Cycle:

The malware file  arrives as an executable  using a random name such as:

• rljybc.exe

This ransomware is written in Go language and is apparent in the many references to Go packages in its strings.

Upon execution it creates multiple copies of the same batch file into the %temp% directory:

Simultaneously it also writes a randomly named file with a .dll extension that appears to be a library file.

But upon careful inspection, it actually was a log file of its execution showing files it had accessed and created.

The batch file created is used to run commands to delete shadow copies and to disable certain services that are related to Antivirus, back up software, database, email among many others.

It appends “.lqepjhgjczo” extension to all files it encrypts and adds the ransomware note to every directory in the system.

The ransom note only lists email addresses on how to reach the malware authors and no amount of ransom is mentioned. Presumably, this amount may vary depending on their victim and how disruptive the attack would cost a business or an organization.

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Snatch.RSM_13  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

The SonicWall Capture Labs threats research team has been tracking a recent family of ransomware called RZML.  This ransomware appeared in the wild over the last 7 days and appears to be a variant of the STOP/Djvu family.  The sample we analyzed is a dropper that downloads multiple modules.  In addition to encrypting files, which is standard practice for ransomware, it also steals files, clipboard and browser cookie data from the infected system.  File decryption costs $490 USD in bitcoin after a “50% discount”.  However, as we have seen with most ransomware today, exfiltrated files can be used later to apply additional pressure to pay up.

 

Infection Cycle:

 

Upon execution, the malware reports the infection to a C&C server which replies with a public key used for file encryption:

 

It also requests data on what file types to target for exfiltration:

 

It proceeds to download the ransomware module and names it build2.exe:

 

It downloads a clipboard grabber component and names it build3.exe:

 

It also downloads htdocs.zip which contains some utility dlls including an sqlite database module:

 

Files on the system are encrypted and given a .rzml extension.

 

The following files are added to the filesystem:

• %USERPROFILE%\AppData\Roaming\Microsoft\Network\mstsca.exe [Detected as: GAV: ClipBanker.RSM (Trojan)]
• %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build2.exe [Detected as: GAV: StopCrypt.RSM (Trojan)]
• %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build3.exe (copy of mstsca.exe) [Detected as: GAV: ClipBanker.RSM (Trojan)]
• C:\SystemID\PersonalID.txt
• %USERPROFILE%\AppData\Local\bowsakkdestx.txt
• C:\ProgramData\55054064606124780548020057 (sqlite database)
• _readme.txt (written to all directories with encrypted files)

 

The following registry entries are made:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatability Assistant\Store {malware file}

 

PersonalID.txt contains the following data:

M5o7GW95xOUM45FRYk7SEflLRpNXVqiExQDcPCGh

 

bowsakkdestx.txt contains the public key that was downloaded earlier:

 

_readme.txt contains the following message:

 

When build3.exe is run, it uses the CreateMutex API function with “M5/610HP/STAGE2” as the parameter to check if it has been run previously:

 

If this mutex is not present, it proceeds to grab clipboard data:

 

 

The malware also steals browser cookies.  It stores this data in a sqlite database.  The following screenshot shows the database structure:

 

We visited chase.com and bankofamerica.com and can see that the cookies are stored in the database:

 

Targeted files, clipboard data and cookies stored in the sqlite database are uploaded to a remote server:

 

We reached out to the operator email addresses (support@freshmail.top, datarestorehelp@airmail.cc) stated in the ransom note and received the following reply:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: ClipBanker.RSM (Trojan)
• GAV: StopCrypt.RSM (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

This week, the SonicWall Capture Labs Threat Research Team has observed the following threat:

The Amadey botnet malware has been packaged with a Redline infostealer to infiltrate systems, extract a variety information, and enable control via a C2 server. Both of these malware families are Russian in origin and can be found on darknet markets, with purchase prices between $100-500 USD. These malware samples acting in tandem could compromise user accounts and passwords for the infected system as well as online accounts, cryptocurrency wallets, and other sensitive information.

Static Analysis

Identifying the parent file (6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf) using Detect It Easy shows that it is an cabinet installer (Figure 1) and does not give any indication of packers or encryption.

Figure 1: Initial sample detection

Unpacking the parent archive gives five separate files:

• 9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (32bit .NET DLL)
• c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad (32bit .NET EXE)
• 3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (32bit EXE)
• 73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (32bit .NET EXE)
• 59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0 (32bit EXE)

Of these files, there are two that automatically have suspicious characteristics: c7e and 73b are both timestomped, showing a creation timestamp in the future (Figure 2). 73b is also identified as having Confuser Ex obfuscation (Figure 3), which hinders analysis to a high degree.

Figure 2: Timestamps showing file creation in the year 2090

Figure 3: A creation date of 2067; Confuser Ex is an open-source protection software for .NET software

Looking through strings, file 316 has a reference to an Amadey.pdb file (Figure 4) within the debug strings; this is a custom debug file that loads symbols (resources or filepaths) as an alternative what may be in the finished program. The API calls that are listed show capabilities in Figure 5 cover the following areas: networking, system enumeration (to include registry, accounts, files, programs, and running processes), process injection, data manipulation, and security. The accompanying files also assist in network connections and enumeration with the exception of 9a6; this is a small .DLL file (~2kb) that is used for process side-loading.

Figure 4: String reference to Amadey

Figure 5: API calls within Amadey that confirm some of the malware functionality

Amadey has multiple methods of evasion for both runtime and analysis. This includes but is not limited to: sleeping for long periods, virtual machine and debugger detection (IsDebuggerPresent, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcess), and obfuscation. Removing ConfuserEx from the Redline sample shows the capabilities of what the file is doing. The file is named ‘Doggeries.exe’, and has a large number of functions for both parsing data and communication, as seen below in Figure 6.

Figure 6: Redline deobfuscated, showing a method of communication via email

Dynamic Analysis

Running the main application, files are dropped into the following locations and automatically renamed:

• “~\Desktop\v5f6rvVc7A.exe”
• “~\AppData\Local\Temp\IXP000.TMP\”
  • j3346492.exe
  • x3075787.exe
• “~\AppData\Local\Temp\IXP001.TMP\”
  • • i8210436.exe
  • x0248748.exe
• “~\AppData\Local\Temp\IXP002.TMP\”
  • h8899948.exe
  • g3601528.exe
• “~\AppData\Local\Temp\925e7e99c5\”
  • pdates.exe
• “~\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\clip64[1].dll”

Once the files are dropped, persistence is created during the following steps:

• ‘schtasks.exe’ is run by ‘pdates.exe’ with the following command, which will run ‘pdates.exe’ once every minute:

‘”System32\schtasks[.]exe” //Create //SC MINUTE //MO 1 //TN pdates[.]exe /TR “~\925e7e99c5\pdates[.]exe” /F’

• ‘cacls’ (Windows Access Control List) is used to set permissions on both the file and the directory to prevent runtime issues:

‘”System32\cmd[.]exe” /k echo Y|CACLS “pdates[.]exe” /P “user:N” (&&) CACLS “pdates[.]exe” /P “user:R” /E (&&) echo Y|CACLS “..\925e7e99c5” /P “user:N” (&&) CACLS “..\925e7e99c5” /P “user:R” /E (&&) Exit’

• A Windows registry key is changed to the following value to autostart when the system boots:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders: ~\AppData\Local\Temp\925e7e99c5\

As this is occurring, another file is run named ‘Healer.exe’ (it will have a randomized name when dropped). The only function ‘Healer’ has is to disable Windows Defender and prevent it from updating, as seen below in Figure 7.

Figure 7: Healer’s functions and targeted registry keys

After ‘Healer’ has been run, ‘pdates.exe’ will reach out to the C2 and download ‘clip64.dll’ (Figure 8).

Figure 8: Communication is established, followed by ‘clip64.dll’ downloading

Clip64 is used to pull data from the clipboard and package it to be sent back to the C2. There is also a reference to Amadey in a .pdb path within the file (Figure 9).

Figure 9: Amadey Clipperdll.pdb reference (left), and clip64.dll capabilities (right)

An additional module named ‘cred64.dll’ also attempts to download, but is unsuccessful (Figure 10). It is unknown whether this is deliberate or accidental on the botnet operator’s part.

Figure 10: The file ‘cred64.dll’ failed to download to the target system

A hook is installed using DirectDrawCreateEx to capture user input and activity. Amadey and Redline will enumerate the system in its entirety to collect hardware specifications, OS version, user accounts, installed software, credentials (in- and out of browser), documents, and cryptocurrency wallet information (Figure 11).

Figure 11: C2 and cryptocurrency information

Amadey and Redline are detected by RTDMS and the signature Amadey.R(Trojan).

IOCs

Hashes
6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf (parent file)
9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (exhalhENZZbhvzCCmysGrfFiklOcA.dll)
c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad
3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (Amadey payload)
73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (Redline payload)
59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f (pdate.exe)
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 (clip64.dll)

URLs
77.91.68[.]61/rock/index.php
77.91.68[.]61/Plugins/cred64.dll
77.91.68[.]61/Plugins/clip64.dll
77.91.68[.]61/new/foto4060.exe
77.91.68[.]61/smo/du.exe

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function 

 

Before executing second stage payload, function named “Do()” is called to bypass AMSI detection by patching AmsiScanBuffer() function.   

Figure 2: Function to bypass AMSI  

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload

 

In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name “Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd”

 

To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

• “c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf”

Figure 5: Privilege escalation and UAC bypass using cmstp.exe

 

The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file

 

In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver

 

Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle

 

Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list

 

Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes

 

Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

• 2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 – Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

• Injector.RPX (Trojan)