Maze is a recent highlighted ransomware among the ever-growing list of ransomware families. Maze ransomware is active from last one year, although it came into light due to its new approach of publishing sensitive data of infected customer publicly.
The malware uses different techniques to gain entry like to use exploits kits or via email impersonation. These phishing emails are having a Word document attachment which contain macros to run the malware in the system.
Maze uses CHA-CHA algorithm for encryption and its key is encrypted using RSA algorithm. Maze can run with or without mutex. It uses some Russian IPs for webserver to send information from victim system. It uses RSA encryption request for CnC communication. It will not encrypt system for specific region by checking keyboard type.
Stage – I:
The attached document file has a form containing input box in which number array of encrypted URL and path is present. Document file contains an activeX object. When it is executed, URL and path is decrypted then it calls URLDownloadToFileA() which downloads an executable to the specified location.
The number array is read from text box then converted into characters and concatenated to form a URL and path where file is downloaded. Sometimes it also uses PowerShell to download file. In most of the cases file is downloaded at “C:\Windows\temp” location.
Stage – II:
The first stage of Maze ransomware is custom cryptor. This cryptor is packed one with less imports. It loads libraries by calling LoadLibrary() and GetProcAddress() from kernel32.dll. In this cryptor, function names are stored with their adler32 checksum.
The cryptor for antidebugging, it passes junk strings to the function OutputDebugStringW().
In the below code, it checks whether file is present or not, if present it will terminate. Similarly, it also checks specific commandline arguments if it is present it will change execution flow. Then malware load the resource where actual DLL is present. The loaded resource is encrypted and XOR operation is used with key 0x41. After decryption, we get base64 encoded data.
After copying all data onto stack, API names are formed and then it calls Loadlibrary() Win32 API. Then it decodes base64 data by calling CryptStringToBinaryA() API. The decrypted buffer is again decrypted using CHA-CHA 20 algorithm which brings actual payload of Maze ransomware. Along with payload (which is a DLL of Maze), it also decrypts shellcode. By using CreateThread() API, it executes the shellcode.
In this payload code, it firstly loads base address of kernel32 for PEB. Below code show the loading of address.
The shellcode allocates memory using VirtualAlloc() and copies DLL file to newly allocated space. Then it creates a thread and execute code from DLL. This code changes bytes at original entry point and then jump to OEP.
2. MAZE PAYLOAD
In decrypted payload it first loads all the APIs and then does patching of dbgUiRemoteBreakin from ntdl.dll. It is one of the anti-debugging techniques it using to avoid attachment of debugger.
First it calls VirtualProtect() on dbgUiRemoteBreakin with PAGE_EXECUTE_READWRITE as new flNewProtect. Then it replaces byte 6A with C3 by simple mov instruction. So, if someone try to attach debugger it will get failed.
Then it enumerates running processes using Process32First() and process32Next(). It calls APIs using ‘je’ instruction and address is pushed onto stack which is executed after API call. Call is replaced with ‘push’ and ‘jz’ or ‘je’ instruction.
After process enumeration it will obfuscate all the names with its own algorithm which uses XMM registers. Then it calculates hash of this obfuscated string which is then compared with some hardcoded hashes. Some of them are:
When any of the process hash matches it calls TerminateProcess() and exit the running process.
It will not encrypt files for specific keyboard type. To get keyboard type it calls the function GetUserDefaultUILanguage(). For eg:
Russsian: 0x419 // NOT Encrypt For this value
Ukrainian: 0x422 // NOT Encrypt For this value
Serbian: 0x7C1A // NOT Encrypt For this value
en_US : 0x409 // Encrypt For this value
Then It first communicate with CnC server where IP list is hardcoded, all below mentioned IP seems belong to Russia.
Then data is sent to CnC on first request: Data which is sent is Username, Computername, OsVersion. Malware create mutex with unique ID. Unique ID is created using SHA( GetComputerName() + VolumeID()) . For ransomware marker it creates unique file on root and each folder.
Maze Encryption Process:
Malware select files for encryption based on extension. It excludes following extension:
It also excludes following files:
%windows%, @gaming%, %programdata%, %tor Brower%, %local Settings%, %appdata% etc
It first creates key and then export it in the “c:\programdata\data1.tmp” folder. Then it drops ransom note in each folder before encryption. Later it will just import key from this file and call “CryptEncrypt()”.
It retrieves drive letters and then determine type of drive using GetDriveType(). Further it enumerates using API calls FindFirstFileA() and FindNextFileA().
It deletes shadowcopy by creating fake path for wmic and then call delete recover by calling CreateProcessW(). It encrypts files using CHA-CHA algorithm and key of chacha is encrypted using RSA. For this it uses crypto APIs. Encrypted files are having marker at the end which is ‘66116166’.
It creates thread for each drive, which then again call create thread function for each folder which do the encryption. Encryption will start from root of C: or D: and parallelly it also accesses the shared drive by using WNetShareEnum() API. Same encryption function is used for encrypting share drive files. The first folder which is encrypted is “$Recycle Bin”.
CreateThread() with following function for each folder. File is opened as follows. File is encrypted by calling CryptEncrypt() and it is renamed by calling moveFileEx() with extension.
Maze Malware uses many tactics for anti-Analysis:
Prevention measures to stay away from ransomware
Common infection vectors used by Maze Ransomware are phishing emails with MS Office attachments and fake/phishing websites laced with Exploit Kits. Hence, we advise our end users to exercise caution while handling emails from unknown sources, downloading MS Office attachments, enabling macros and clicking on suspicious links.
Indicators of compromise
Subject Matter Expert
Preksha Saxena | Quick Heal Security Labs