|Saving Dropper into user temporary file with static name|
As today the dropping URLs are the following ones:
|No Packing found|
Firing up IDA and reversing the sample showed up small encoded payload through XOR and some anti debugging tricks such as the timing control and performance monitoring as follows:
|Anti-Debugging tricks: Timing and Performante control|
|Decoding Loop on 0x3001220|
Following a piece of decoded memory area (configuration file), decoded by 0x03001220.
|Decoded Memory Area|
|Ransom Request Rendered File|
|POST request to buy the decrypter|
Particularly interesting (at least in my persona point o view) the hidden input type called “FB” which looks like piggy backing two informations to the command and control (ransom server) such as: the extension and some hexadecimal content included in a crafted tag called “pre”. By clicking on “Yes I want to buy” the victim POST such a data and are prompted to the following page asking for 0.18 BTC in order to get files back.
|Request for ransom|
The FB hidden value “made me curious”. By changing the first value (the one before the statement “pre”) you would appreciate different BTC wallets with different asking prices. The following image shows the different results.
|Request for ransom 2|
|Forcing New Wallets to limitate further infections (please do not consider this script as production ready script. Do not consider it as best implementation for such a goal)|
|SQLi on C&C server !|
|Bot Ids and relative locations|
|Attackers Username, Passwords and Wallets|
My attention ended up on that guy: [email protected]
That guy is related to the following private wallet: 1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N
As you might guess there are two main wallet types:
|Transaction From 1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N|
After few more crafted SQL queries I was able to extract the “inst” talbe. Fields names are the following ones:
|TOPransom Victims Distribution|
|TOPransomware victims browser distribution|
On this post I’ve been describing the activity that took me from an email attachment to drop the entire attacker’s database on a Ransomware as a Service platform that I called TOPransom. I’ve being trying to enumerate attacker’s income and to mitigate the spreading vector by filling up wallets creation per user by writing a quick and durty python script.
Following IoC for your detection systems. Have fun !
IoC (summing up):
- dropper .vba (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba)
- saToHxy.exe (sha256:6a51d0cd9ea189babad031864217ddd3a7ddba84)
- RECOVER-FILES-html (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1)
- Bot location: http://oeirasdigital.pt
- Bot Location: http://jflo.ca/
- TOP Browser
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans
(Security Affairs – TOPransom, cybercrime)