In between the waves of Petya Ransomware-wiper, another serious ransomware were spreading across, The “Karo Ransomware”. The initial vector being spam mails with a document file.
The document file is password protected and this malware is Virtualization aware and refuses to run in sandboxes.
Once infected Karo encrypts the files with the (.ipygh) extension and it will communicate with the TOR Command and communication server.
Lets Jump in..
One of the spam mail originated from an e-mail address “johnitgbwp[at]outlook.com”
Once the user tries to open the document, a password popup will appear to enter the password which is in the body of email. This is a common trick used my offenders to evade the automated analysis and sandboxes.
Once the password is provided, the document opens and seeks the macro to be enabled to run the VB code.
When we try to analyse the macro code with in the document, another protection is implemented by the offender, may be to stop the analysts or anyone from peeking the code.
Once this protection is bypassed, we will be able to see the actual VBScript which is embedded in the user form
The VBScript is invoking the PowerShell to download and before execution the code will do a PING to 127.0.0.1 for 15 times, then the payload will be executed in the temp folder of the victim machine. (Common way used by offenders these days)
Now let us analyze the executable which the script downloaded “svchost.exe”
This executable was found to be smart assembly obfuscated, mainly to make reverse engineers sweat.
Now, Ya! We need to sit sometime to figure it out. As an analyst, you may skip the static analysis and go ahead with dynamic alone. But here comes the trick, when you execute this malware inside a Virtual Machine, it will not exhibit its actual activities, because it detects the virtualization. Now we know what is the importance of Code Analysis while performing analysis.
Now, Let’s see what’s in it. Once the execution starts, the malware will check whether it is being executed in a virtual environment or not. This will make sure the malware is not being analysed by reverse engineers or any sandboxes.
The below snippet of code is from the source of the executable derived after de-obfuscation and modification.
The code segment queries the system information, and checks for the keyword “virtual” or “vmware” or “virtualbox”. For example, let us assume VMware, the fields of interest are:
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
Thus above virtualization check by malware will easily identify that it is being running inside a virtual environment.
Now what will happen if it detects that it is being executed in a virtual environment?
The malware will follow a separate routine which will run “C:\windows\system32\cmd.exe” with “/c PING -n 5 127.0.0.1 & del /f /q “%temp%\*.*” parameters. As we can see these parameters are base64encoded within the executable.
Throughout the malware code, the important parameters are base 64 encoded.
The invoked command will do a PING to 127.0.0.1 for 5 times and will exit, after deleting all the files in the temp folder of the machine.
The executable code will progress with infection its routine. For that, we need to trick the malware or patch it. I did a small tweak and made malware to run its actual infection routine within the VM box, bypassing the above mentioned “clean the trace” routine.
Once the infection routine starts, malware will copy itself as “svchost.exe” at “C:\Users\<username>\AppData\Roaming”. Then a shortcut file with name “Notepad.lnk” is created pointing to the copied executable and will be saved in the startup folder, as a persistence mechanism.
We can see that malware creating a mutex named “MyUniqueMutexName”
Then the malware queries and enumerates the logical drives in the machine.
A file is created and dropped at “C:\Users\<username>\AppData\Roaming” with name “aes” ( 32 characters are written randomly generated from seed). This file is then made hidden and once infection completes, it’s deleted.
Meanwhile, the malware is checking whether any file named “svchost.exe” is there in the directory “C:\Users\<username>\AppData\Roaming”, and if so, it will delete it and then will copy the malicious executable to the directory with name “svchost.exe” . This svchost.exe is used for persistence via earlier created “notepad.lnk” in startup folder.
If no files named “svchost.exe” is found, malware will copy itself in the directory as “svchost.exe”
Now, malware will check if any folder “Tor” exists in %temp% folder and if not, it will check if any process named “Microsoft.vshub.32” in the victim machine. If it is running out there, the malware will kill it.
The reason, we will come to know shortly.
Next the malware will download the Tor browser package from:
Wondering what it is? Ya it’s the base64encoded URL to download tor package
It decodes to below URL:
This downloaded zip package is saved at %temp% folder with a 5 character randomly generated name:
Random Name Generator is used for generating the 5 character and the method used is shown above.
Then this zip package is unzipped and immediately the zip archive is deleted. Then the malware will write the required configurations for tor connectivity in the “torrc” file:
The parameters are base64decoded, and written in the torrc file :
The “tor.exe” file in the Tor directory is renamed to “Microsoft.vshub.32.exe”. Then Tor directory is moved in temp folder out of the “randomly named parent directory” and the parent directory is deleted.
The %temp% directory is given Full permission to itself and sub-directories by calling “icacls” command via “C:\windows\system32\cmd.exe” (base64encoded).
Now the “tor.exe” which is renamed to “Microsoft.vshub.32.exe” will be executed with parameter “–f ./torrc”. Also a sock listener and control listener is opened . That is why earlier malware checked for any process in name “Microsoft.vshub.32.exe”. Malware needs to run smoothly without conflicts 😉
Just if we try to recreate:
Now with the tor environment setup, the malware is trying to communicate with an .onion domain, carrying the information like username, Operating system, Machine name details.
Next the malware is trying to communicate with below URL
The “aes” field now contains the base64encoded strings ( including the RSA 2048 encrypted byte values of the RNG generated strings which the malware generated in the beginning).
After this stage, the malware kills the below processes:
/c taskkill.exe /f /im MSExchange*
/c taskkill.exe /f /im sqlserver.exe
/c taskkill.exe /f /im sqlwriter.exe
/c taskkill.exe /f /im mysqld.exe
Then starts the encryption process . The malware will search across the machine, for the file extensions and will be compared with set of extensions list. If it is not “.ipygh” and matches any of the extensions in the set, those files are encrypted.
As we can see, AES256 encryption algorithm is utilised,by using the file extensions and then the encrypted files are appended with the extension “.ipygh” .
Same information is mentioned by phishlabs here about the encryption “Karo, coded in .NET, uses the on-board RijndaelManaged class to encrypt files” . That sample consisted 21 extensions, but in our sample its 12 .
Then again the malware will communicate with same onion URL with information after encryption, may be information regarding objects encrypted (not sure) :
Once the encryption and command and control communication happens, the malware will extract a “karo.Readme.html” from its resources. This file is extracted from the resources and saved as “readme.html” at the desktop of the victim machine and executes it.
Once we navigate to the generated onion website, we will be able to see few ransom notes including payment information, bitcoin wallet, and date, time before we should pay the ransom amount.
Immediately, the malware will download an image from “hxxp://ibvmcu4eayyxjc4j.onion/wall.png”. Then it will be opened as ransomware desktop wallpaper after saving it as .jpg file at %temp%.
After all the above mentioned stages, Finally, the malware delete its traces and kill the running process after invoking “cmd.exe”.
- /c taskkill.exe /f /im Microsoft.vshub.32.exe.*
- /c PING -n 5 127.0.0.1 & del /f /q “%temp%\*.*”
- Deletes “aes” file in the Appdata folder.
After encryption of files:
Once we simply navigate to the .onion command and control server, we can see as below:
It is an executable which will again show the steps to pay and buy the decryption tool:
We have seen lot of very dangerous campaigns these days, including wannacry, Petya Wiper, Loki Bot , Karo Ransomware. The first two used very critical vulnerabilities which got leaked from NSA, may be because of that lot of concentration was on those threats. Being said that, between those threat waves, Are we missing some dangerous threats?. For example, when Petya Ransomware was in top news, we could see lot of IOCs being spread claiming its Petya Ransomware IOCs. But actual fact was those were mixture of IOCs related to Petya, Loki and Karo. But anyways, IOCs are always juicy and important even if it is mixed up or not.
That said, Karo Ransomware was playing hide and seek behind the “Petya” Waves, yet it is indeed very dangerous.
Indicators Of Compromise (IOC):
- End-user awareness program should be replayed periodically
- Strict Back process should be maintained, which is very helpful in scenario of Ransomware infections
- Disable macros from MS Office files using Active Directory Group Policy
- A well defined patch or Vulnerability management process should be maintained
- Strict and useful policies should be implemented at inbound spam/malware protection
- Regularly update the AV signatures and other controls
- It is highly recommended to disallow execution of any files in %temp% folder via endpoint policies