Blog
Rahul Sharma

Dharma Ransomware Variant Malspam Targeting COVID-19

April 9, 2020
0
Dharma-variants-penetrating-through-COVID-19 Dharma-variants-penetrating-through-COVID-19
Estimated reading time: 7 minutes

Since the outbreak of the Novel Coronavirus pandemic, many malware have been seen trying to lure people to open malicious emails, malicious domains and run other malware, etc. Some of these malicious domains are fully functional and provide real-time mapping of COVID-19 stats across the globe. However, they deliver malware on the system of victims visiting the site who are unaware of any suspicious events. They can steal personal and financial information stored on the browser by executing malicious Javascript on the visit.

Malicious domain with a fully functional map

Fig: Malicious domain with a fully functional map

Few other malware are using spear-phishing emails impersonating WHO or other authentic organizations, providing safety measures about COVID-19 pandemic along with a means of malicious code execution.

One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.

The main payload is attached as ‘1covid.exe’ — on the execution of the ‘1covid.exe’, it begins to encrypt the files and the following ransom note is displayed on the screen. The extension of files after encryption is .ncov supposedly named after the Novel Coronavirus.

Ransom Note Used by Dharma Variant

Fig: Ransom Note

The ransom note is dropped in various formats. After encrypting the files, a ransom note asks the user to write an email to “coronavirus@qq.com” to restore their files.

txt version of ransom note

Fig: A text version of the ransom note

Sample MD5: 62D3E2CA818E515EDBB44CAD8355C91D

Technical Analysis:

The Ransomware does not employ any UAC bypass and presents with the prompt to execute. The malware is not packed but it has encrypted API and library names. It decrypts the API and library names using the rc4 algorithm and after that, it loads libraries and resolves all APIs using Loadlibrary and Getprocaddress functions respectively.


rc4 decryption function

Fig: Decrypting names using rc4

Functions used to resolve the api's

Fig: Function used to resolve the APIs

After that, it creates the mutex name and checks if it is already present — if present it terminates itself. The mutex name is a combination of string ‘Global\\syncronize_’ and “5GW7SU(U/A)” where the latter is a unique hard-coded sample id.

Mutex Name

Fig: Mutex name

The ransomware manages a list of recognized valuable extensions to it as below

  1. Doc

(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)

  1. Arc

(.zip;.rar;.bz2;.7z;)

  1. Dbf

(.dbf;)

1c8(.1cd;)

  1. Jpg

(.jpg;)

 

It carries a list of processes to kill so that there is blocking of files related to them during encryption.

“1c8.exe, 1cv77.exe, outlook.exe, postgres.exe, mysqld-nt.exe, mysqld.exe, sqlservr.exe;”

Function to kill predetermined list of processes

Fig: Function to kill predetermined list of processes

Following list of services are killed if found: “FirebirdGuardianDefaultInstance, FirebirdServerDefaultInstance, sqlwriter, mssqlserver and sqlserveradhelper”

Function to kill the services

Fig: Function to kill the services

Further, it uses multiple ways to instantiate persistence.

Persistence Techniques:

  1. Drop a self-copy to %windir%system32
  2. Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with above entry %windir%system32
  3. Read registry entry ‘startup’ in “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders” and drop a self-copy in retrieved path i.e. in “%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\”
  4. Read registry entry ‘common startup’ in “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders” and drop a self-copy in retrieved path I.e in “%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup”

The main process creates cmd.exe and pipes the command to delete the shadow copy using the vssadmin tool.

Deleting Shadow Copy

Fig: Deleting shadow copy

The process flow of the executable is shown in the below figure.

Process flow of malware

Fig: Process flow of sample

Encryption Technique: 

The ransomware uses AES-256 (128-bit block + 256-bit key) in CBC mode along with the RSA algorithm. The below image shows the function used for encrypting the given data with AES in CBC Mode. 

Algorithm AES in cbc mode

Fig: AES algorithm in cbc mode

The 32-bit AES key is generated by a function gen_key_random. The RSA public key is decrypted from the sample and imported via RSA_pub_key_new function which is further used for encrypting the previously generated 32-bit AES key. The same gen_key_random function is used for generating the 16-bit Initialization Vector for AES CBC mode.

random key generation

Fig: random key generation

The implementation of AES and RSA algorithms are done using a static library which can found at https://github.com/joyent/syslinux/blob/master/gpxe/src/crypto/axtls/aes.c  and https://github.com/joyent/syslinux/blob/master/gpxe/src/crypto/axtls/rsa.c respectively.

Fig: Function responsible for rsa encryption

The ransomware also encrypts the drives and network shares. There is a separate thread for encrypting the Network shares using the WNetOpenEnumW API family.

Enumerating Network shares

Fig: Enumerating Network shares

The mitre attack vector mapping of this ransomware is as follows.

Mitre techniques touched by this malware

Fig: Mitre techniques touched by this malware

Quick Heal detects this malware as Ransom.Crysis.A3. Apart from real-time protection, this malware is also detected by Quick Heal ARW (Anti Ransomware Protection) and BDS (Behaviour Detection System).

ARW and BDS detection of 1covid.exe

Fig: ARW and BDS detection of 1covid.exe

Conclusion:

Coronavirus pandemic has become a target for threat vectors using it as an Initial Vector for all sorts of malicious activities. Quick Heal detects many malicious domains and spear-phishing emails and saves the user from falling into those traps. However, to be on the safer side, below are the steps that can be taken to minimize the risk.

  1. Turn on email protection on your anti-virus software.
  2. Do not open any link or attachment in an email if you doubt the authenticity of the email.
  3. Do not download and open any attachments from an unknown source.

IOC:

Malicious domains pertaining to the Coronavirus.

Suspicious URLs and Domains Category
hxxp://mohanlakshmipathy[.]com/COVID-19.doc Malware
hxxp://64.227.17[.]38/bins/covid.x86 Malware
hxxp://crack.relaxationcards[.]com/health/application/COVID/2019/Covid_19_test_form.doc Malware
hxxp://tusa.mindbodyspiritsydney[.]com/application/health/test/Covid2019/2019_nCoV_Application_Test.doc Malware
hxxp://tks.enzacurrenti[.]com/application/health/test/Covid2019/Test_COVID_2019.doc Malware
hxxp://185.242.104[.]197/wzjd/Covid19-UPDATE_PDF.exe Malware
hxxps://corona-virus-map[.]net/data/mapdata.jar Malware
hxxps://corona-map-data[.]com/bin/regsrtjser346.exe Malware
hxxp://192.3.193[.]251/Corona.ppc Malware
hxxp://91.234.99[.]234/Corona.mips Malware
hxxps://phamchilong[.]com/22/CORONA Malware
hxxp://45.32.78[.]111/Corn/Calin/Corona.exe Malware
hxxps://recoverrryasitalycovid-19[.]xyz/over Malware
hxxps://toyswithpizzazz[.]com.au/service/coronavirus Malware
hxxp://coronasafetymask[.]tk Malware
hxxp://coronavirusapp[.]site/mobile.html Malware
hxxps://corona-masr2[.]com/chase-support.wepay.com/ChaseClean/Chase%20Clean/login/ Malware
hxxps://corona-masr2[.]com/chase-support.wepay.com/ChaseClean/Chase%20Clean/login/auth.php Phishing & Fraud
hxxp://dtipgifts[.]com/E-Transfer/COVID-19/files6546541204/down45640/banks/directing/atbonline/question.php Phishing & Fraud
hxxps://uk-covid-19-relieve[.]com Malware
hxxps://covid-19[.]bdtime.news/directing/www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi/ClientSignin.htm Phishing & Fraud
hxxp://covid-19[.]bdtime.news Malware
hxxps://raymondne[.]buzz/COVID-19PRECAUTIONS/ Malware
hxxps://footytube[.]top/admin/covid-19/office365/office365/office365/office365/office365/office365/office365 Phishing & Fraud
hxxps://covid-19-business-continuity-epic-uk-limited.azurewebsites[.]net/Corona_Virus_2020/passw.php?client_id_redirect_uri=_authenticate_/common/oauth2/authorize_token=9d84bdf0dfc3d870ee7e328eff7d2e597c924200 Malware
hxxps://kampcbation[.]info/COVID-19/ Malware
hxxps://www.brightparcel[.]com/corona/owa.php Malware
“coronavirusstatus[.]space” Malware
“coronavirus[.]zone” Malware
“coronavirus-realtime[.]com” Malware
“coronavirus[.]app” Malware
“Coronavirusaware[.]xyz” Malware
“goiglecoronavirus[.]com” Malware
“googlecoronavvirus[.]com” Malware
“googlecoronavirua[.]com” Malware
“googlecoronavirs[.]com” Malware
“googlecoronavius[.]com” Malware
“googlecoronaviru[.]com” Malware
“googlecoronacirus[.]com” Malware
“goolgecoronavirus[.]com” Malware
“coronaviruspatientobservation[.]com” Malware
“coronavirusremotepatientobservation[.]com” Malware
“coronavirus-com[.]com” Malware
“coronaviruscovid19-information[.]com” Malware
“corona-map-data[.]com” Malware
“coronavirusgovernmentrelief[.]com” Malware
“coronavirusfired[.]com” Malware
“cheapcorona[.]com” Malware
“corona-defence[.]com” Malware
“coronavirushomeinternet[.]com” Malware
“childcarecorona[.]com” Malware
“corona5[.]com” Malware
“coronavirusfactsandfears[.]com” Malware
“thankscoronavirus[.]com” Malware
“coronavirusapp[.]site” Malware
“alphacoronavirusvaccine[.]com” Malware
“anticoronaproducts[.]com” Malware
“beatingcorona[.]com” Malware
“beatingcoronavirus[.]com” Malware
“bestcorona[.]com” Malware
“betacoronavirusvaccine[.]com” Malware
“buycoronavirusfacemasks[.]com” Malware
“byebyecoronavirus[.]com” Malware
“cdc-coronavirus[.]com” Malware
“combatcorona[.]com” Malware
“contra-coronavirus[.]com” Malware
“corona-armored[.]com” Malware
“corona-crisis[.]com” Malware
“corona-emergency[.]com” Malware
“corona-explained[.]com” Malware
“corona-iran[.]com” Malware
“corona-ratgeber[.]com” Malware
“coronadatabase[.]com” Malware
“coronadeathpool[.]com” Malware
“coronadetect[.]com” Malware
“coronadetection[.]com” Malware
“coronavirusmedicalkit[.]com” Malware
“corona-masr2[.]com” Malware
“uk-covid-19-relieve[.]com” Malware
“covid-19.bdtime[.]news” Malware
“covid-19-business-continuity-epic-uk-limited[.]azurewebsites.net” Malware


Subject Matter Expert

Rahul Sharma, Akshay Gaikwad | Quick Heal Security Labs

Have something to add to this story? Share it in the comments.

Rahul Sharma
About Rahul Sharma
Rahul is an Associate Security Researcher working on the day to day malware trends and is passionate about Reverse Engineering and Web...
Articles by Rahul Sharma »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image