Sage 2.0 is a new ransomware first observed in December and not now it is distributed via malicious spam. Sage is considered a variant of CryLocker ransomware, it is being distributed by the Sundown and RIG exploit kits.
“The Sage ransomware variant appears to have been out of circulation for a while in the malware scene. Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn’t seen significant activity with this malware for over six months.” states the analysis published by Fortinet.
“However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation. In this article, we will share our findings of these recent updates.”
The Sage ransomware was also being distributed through weaponized documents, it leverages .info and .top top-level domain (TLD) names for malware delivery.
The ransomware implements the ChaCha20 encryption algorithm to encrypt the victim’s files and it doesn’t infect machines with Belarusian, Kazak, Uzbek, Russian, Ukrainian, Sakha, and Latvian keyboard layouts.
The threat actors behind this campaign have translated the ransom note into at least six languages, a circumstance that suggests they plan to target more countries in the future. in order to decrypt files, victims are instructed to access an onion site using the TOR browser and to pay a $2000 ransom to purchase the “SAGE Decrypter software.”
Once the malicious code has encrypted a file it will append the .sage extension to it.
The malware researchers discovered encrypted strings in the source code of the malware, a clear attempt of the author of obfuscating the code. The strings are encrypted using the Chacha20 cipher, the experts noticed that every encrypted string has its own hard-coded decryption key.
The new Sage ransomware implements several anti-analysis checks, for example, it enumerates all active processes on the machine, calculates the hash for every each one, and then compares the hashes against a hardcoded list of blacklisted processes.
The malware also checks the full path of where it executes to determine if the filename or directory name contains strings that are commonly used in the paths for analyzing malware samples.
The new strain of the Sage ransomware also checks the computer and user names to determine if they match a list of names used in sandbox environments, a similar check is conducted on the x86 instruction CPUID to get the processor info.
On top of these, the ransomware checks whether an antivirus runs on the computer (by enumerating the services running under Service Control Manager) and checks it against a set of blacklisted MAC addresses.
The ransomware checks whether an antivirus software is running on the machine, it does it by enumerating the services running under Service Control Manager.
“it checks to see if the computer has an instance of a running Antivirus and checks it against a set of blacklisted MAC addresses. The malware checks if there is an Antivirus running by enumerating the services running under Service Control Manager, computing these services names to a Murmurhash3, and then checking them against its list of hard-coded hashes. Table 2 and Table 3, respectively, list some of the blacklisted Antivirus services names and MAC addresses.” continues the analysis.
The experts discovered that this variant of Sage is able to elevate its privilege either by exploiting a patched Windows kernel vulnerability (CVE-2015-0057) or by abusing eventvwr.exe and performing registry hijacking to bypass User Account Control (UAC).
(Security Affairs – Sage ransomware, cybercrime)