Blog
Prashant Tilekar

GandCrab Ransomware along with Monero Miner and Spammer

January 24, 2019
  • 3
    Shares
0
Estimated reading time: 6 minutes

Recently we saw a new campaign through spam mail attachment- zip file. It contains JavaScript file which delivers a bundle of GandCrab Ransomware, Monero miner and Spammer. This bundle of multiple malware variants is nothing new, it is common for ransomware to be paired with miner and spammer. This type of attacks helps hackers increase their chances of profit. In case the victim does not pay the ransom, then hackers use Monero miner and spammer, ultimately attacker’s intention is to get control over the victim’s system and get the ransom.

Fig.1 Attackchain

Fig.1 Attack chain

Spam mail is the infection source of this campaign; attackers use such a type of subject name so that victim is convinced to open the mail and then the attachment. Subject name is such as “Greeting Card”, “My letter just for you”,” Always thinking about you”,” This is my love letter to you”,” Just for you!”,” Wrote my thoughts down about you”,” I love you”,” Felt in love with you!”.

JavaScript is highly obfuscated with base64 encode and URL encode. It uses bitsadmin.exe and PowerShell.exe to download artifacts from Hosted malware domain.

Fig.2 Deobfuscated JavaScript

Fig.2 Deobfuscated JavaScript

The initial payload downloaded is just a downloader file which creates its self-copy, terminates itself and runs from a new location. This file downloads three new components containing Mail Spammer, Monero miner and GandCrab Ransomware.

Fig.3 Process Tree.

Fig.3 Process Tree.

Spammer

1st stage malware is a mail spammer whose task is to send mails to different emails. It downloads and sends JavaScript (initial vector) as an attachment and sends it from different email ids. It performs a dictionary attack on those email ids which are already stored in a binary file and there is also a list of subject names which it picks up from the list and having common mail body used to create mail. Email id is created in such a way that it chooses a name from the list and appends a digit or character to it.

Following are the figures which show a list of subject names and user email names.

Fig.4 Subject name list

Fig.4 Subject name list

Fig.5 User name list

Fig.5 User name list

Binary then try to connect with hxxp://icanhazip.com this site is not malicious this website it just tells your public facing IP in the response.

Added persist entry in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”

Spammer gets the mail id list from its CnC server and uses this to send multiple spam mails to spread attachment, containing the same JavaScript file. A list has around 20000 mail ids. On every execution, it gets new mail id list from the server.

Fig.6 Getting Mailing list from CnC Server

Fig.6 Getting Mailing list from CnC Server

ESMTP is user configurable relay-only Mail Transfer Agent (MTA) with send-mail compatibility. MTA is used to transfer electronic mail messages from one computer to another using SMTP.  Users in SMTP are not verified when a connection is established,  meaning the email doesn’t have to trustworthy, which is the advantage of SMTP. Open SMTP relays are often used to send high volume spam campaigns.

Here in this packet, we can see how server-client communication happens.

Server: “220 smtp.example.com ESMTP Postfix” is established. (Then client server communication happens.)
Client: HELO [relay.example.com] (SMTP client logs on with its hostname)
Server:  250 smtp.example.com hello[hostname], pleased to meet you (Server confirms login)
Client: MAIL FROM:<Name@randomNumber.com> (Client specifies the sender address)
Server: 250 Sender ok (Server confirms)
Client: RPCT TO:<receiver@mail.com> (Client specifies the sender address)
Server: 250 Recipient ok (Server confirm)
Client: DATA (Client initiates the transmission of the email)
Server: 354 End data with<CR><LF>. <CR><LF> (The server begins the reception and indicates

that e-mail text should be closed with a dot (“.”))

Client: FROM:<Name@randomNumber.com>

TO<receiver@mail.com>

Date: Day Month Year, Time

Subject:

Message body

(The client transmits email txt with “subject name” and ends with desired dot)
Server: OK (The server confirms it has successfully received the email)
Client: QUIT (The client signals end of session)

For more details about SMTP refer here.

Here is the mail sent using SMTP

Fig.7 Sending Spam mail using SMTP

Fig.7 Sending Spam mail using SMTP

Miner

The 2nd stage payload is Monero(XMRig) miner. The cryptonight algorithm is used by Monero miner. When miner gets executed, it creates one folder with hidden attributes and drops its self-copy with a configuration file in JSON format which is already encoded by base64. It also drops VBS file which starts lookup to a compromised server and downloads new variants. This script gets deleted after execution.

Fig.8 Drops files

Fig.8 Drops files

To stay in the machine, it drops internet shortcut file in the startup folder which has codes to call self-copy of malware.

Fig.9 Shortcut file

Fig.9 Shortcut file

Following is the screenshot of a decoded configuration file.

 

Fig.10 Miner JSON.

Fig.10 Miner JSON.

Fig.11 AV-List in Miner

Fig.11 AV-List in Miner

This miner also searches for some Anti-Virus processes but there is a flaw in the code of the miner that if it finds any AV process then it doesn’t do any activity loop. It continues to search for the next process.

This miner process doesn’t do any malicious activity related to a miner, it hollows its code to wupp.exe (for 32-bit OS) or notepad.exe (for 64-bit OS) process and that performs further mining activity using the configuration file.

Fig 12. Injected code in wupp.exe

Fig 12. Injected code in wupp.exe

There is another loop in this miner which continuously runs and checks if taskmgr.exe is running or not. If found, then it terminates the wupp.exe/notepad.exe process. If the taskmgr.exe process gets killed then it again hollows its code and starts mining.

Fig.13 Check for taskmgr.exe

Fig.13 Check for taskmgr.exe

Following image shows how miner hides itself from the task manager.

Fig.14 Hide from task manager

Fig.14 Hide from task manager

The following traffic shows the XMRig Monero mining activity.

Fig.15 XMRig traffic

Fig.15 XMRig traffic

GandCrab Ransomware

The 3rd stage payload downloaded on the system contains GandCrab Ransomware. After execution, this file checks for Russian keyboard layout using RegKey entry, if found, then the process gets terminated.

Fig.15 Fetch RegKey

Fig.15 Fetch RegKey

 Fig.16 Compare value

Fig.16 Compare value

Ransomware also searches if the Anti-Virus is running or not.

We have already published blog post related to GandCrab Ransomware. We found the same behavior as discussed in the previous blog.

Ransom-note is shown in the following image.

Fig17. GandCrab Encrypted file note

Fig17. GandCrab Encrypted file note

Quick Heal Detection

Quick Heal successfully detected such campaigns with various detection levels.

IOC’s

a14a3a3036a1706408443e28399a15c1
916cdbc267ca752999365467c05d573b
eb30145e2cb82687f8dac728be1e4b91
e0e5164cf5b19d56f33520cd44875c95

Conclusion

JavaScript is already used to deliver different malware as the initial attack vector in spam mail campaigns. “LOVE YOU” tag is used to catch the user’s attention and prompt him to open the attachment which invariably infects the machine. So beware of such kind of spam emails and attachments.

Subject Matter Expert:

Prashant Tilekar, Aniruddha Dolas | Quick Heal Security Labs

  • 3
    Shares

Have something to add to this story? Share it in the comments.

Prashant Tilekar
About Prashant Tilekar
Prashant Tilekar is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...
Articles by Prashant Tilekar »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image