Dharma Ransomware Variant Malspam Targeting COVID-19

Since the outbreak of the Novel Coronavirus pandemic, many malware have been seen trying to lure people to open malicious emails, malicious domains and run other malware, etc. Some of these malicious domains are fully functional and provide real-time mapping of COVID-19 stats across the globe. However, they deliver malware on the system of victims visiting the site who are unaware of any suspicious events. They can steal personal and financial information stored on the browser by executing malicious Javascript on the visit.

Fig: Malicious domain with a fully functional map

Few other malware are using spear-phishing emails impersonating WHO or other authentic organizations, providing safety measures about COVID-19 pandemic along with a means of malicious code execution.

One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.

The main payload is attached as ‘1covid.exe’ — on the execution of the ‘1covid.exe’, it begins to encrypt the files and the following ransom note is displayed on the screen. The extension of files after encryption is .ncov supposedly named after the Novel Coronavirus.

Fig: Ransom Note

The ransom note is dropped in various formats. After encrypting the files, a ransom note asks the user to write an email to “coronavirus@qq.com” to restore their files.

Fig: A text version of the ransom note

Sample MD5: 62D3E2CA818E515EDBB44CAD8355C91D

Technical Analysis:

The Ransomware does not employ any UAC bypass and presents with the prompt to execute. The malware is not packed but it has encrypted API and library names. It decrypts the API and library names using the rc4 algorithm and after that, it loads libraries and resolves all APIs using Loadlibrary and Getprocaddress functions respectively.

Fig: Decrypting names using rc4

Fig: Function used to resolve the APIs

After that, it creates the mutex name and checks if it is already present — if present it terminates itself. The mutex name is a combination of string ‘Global\\syncronize_’ and “5GW7SU(U/A)” where the latter is a unique hard-coded sample id.

Fig: Mutex name

The ransomware manages a list of recognized valuable extensions to it as below

1. Doc

(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)

2. Arc

(.zip;.rar;.bz2;.7z;)

3. Dbf

(.dbf;)

1c8(.1cd;)

5. Jpg

(.jpg;)

It carries a list of processes to kill so that there is blocking of files related to them during encryption.

“1c8.exe, 1cv77.exe, outlook.exe, postgres.exe, mysqld-nt.exe, mysqld.exe, sqlservr.exe;”

Fig: Function to kill predetermined list of processes

Following list of services are killed if found: “FirebirdGuardianDefaultInstance, FirebirdServerDefaultInstance, sqlwriter, mssqlserver and sqlserveradhelper”

Fig: Function to kill the services

Further, it uses multiple ways to instantiate persistence.

Persistence Techniques:

1. Drop a self-copy to %windir%system32
2. Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with above entry %windir%system32
3. Read registry entry ‘startup’ in “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders” and drop a self-copy in retrieved path i.e. in “%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\”
4. Read registry entry ‘common startup’ in “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders” and drop a self-copy in retrieved path I.e in “%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup”

The main process creates cmd.exe and pipes the command to delete the shadow copy using the vssadmin tool.

Fig: Deleting shadow copy

The process flow of the executable is shown in the below figure.

Fig: Process flow of sample

Encryption Technique: 

The ransomware uses AES-256 (128-bit block + 256-bit key) in CBC mode along with the RSA algorithm. The below image shows the function used for encrypting the given data with AES in CBC Mode. 

Fig: AES algorithm in cbc mode

The 32-bit AES key is generated by a function gen_key_random. The RSA public key is decrypted from the sample and imported via RSA_pub_key_new function which is further used for encrypting the previously generated 32-bit AES key. The same gen_key_random function is used for generating the 16-bit Initialization Vector for AES CBC mode.

Fig: random key generation

The implementation of AES and RSA algorithms are done using a static library which can found at https://github.com/joyent/syslinux/blob/master/gpxe/src/crypto/axtls/aes.c  and https://github.com/joyent/syslinux/blob/master/gpxe/src/crypto/axtls/rsa.c respectively.

Fig: Function responsible for rsa encryption

The ransomware also encrypts the drives and network shares. There is a separate thread for encrypting the Network shares using the WNetOpenEnumW API family.

Fig: Enumerating Network shares

The mitre attack vector mapping of this ransomware is as follows.

Fig: Mitre techniques touched by this malware

Quick Heal detects this malware as Ransom.Crysis.A3. Apart from real-time protection, this malware is also detected by Quick Heal ARW (Anti Ransomware Protection) and BDS (Behaviour Detection System).

Fig: ARW and BDS detection of 1covid.exe

Conclusion:

Coronavirus pandemic has become a target for threat vectors using it as an Initial Vector for all sorts of malicious activities. Quick Heal detects many malicious domains and spear-phishing emails and saves the user from falling into those traps. However, to be on the safer side, below are the steps that can be taken to minimize the risk.

1. Turn on email protection on your anti-virus software.
2. Do not open any link or attachment in an email if you doubt the authenticity of the email.
3. Do not download and open any attachments from an unknown source.

IOC:

Malicious domains pertaining to the Coronavirus.

Subject Matter Expert

Rahul Sharma, Akshay Gaikwad | Quick Heal Security Labs

Rahul Sharma