A new strain of ransomware malware encrypts files and adds the ".SaveTheQueen" extension to them, spreading through the SYSVOL system network folder on Active Directory domain controllers.
Our customers encountered this malware recently. We present our full analysis, its results and conclusions below.
Detection
One of our customers contacted us after they encountered a new kind of ransomware that added the ".SaveTheQueen" extension to new encrypted files in their environment.
During our investigation, and more precisely at the stage of searching for sources of infection, we found out that the distribution and tracking of infected victims was carried out using network folder SYSVOL on the customer's domain controller.
SYSVOL is a key folder for each domain controller used to deliver group policy objects (GPOs) and logon and logoff scripts to domain computers. The contents of this folder are replicated between domain controllers to keep this data in sync across the organization's sites. Writing to SYSVOL requires high domain privileges, however, once compromised, this asset becomes a powerful tool for attackers who can use it to quickly and efficiently spread a malicious load across a domain.
The Varonis audit chain helped quickly identify the following:
- The infected user account was creating a file named "hourly" in SYSVOL
- Many log files were created in SYSVOL - each named after a domain device
- Many different IP addresses were accessing the "hourly" file
We concluded that the log files were used to monitor the progress of the infection on new devices, and that "hourly" is a scheduled job that ran a malicious load on new devices using a Powershell script - samples "v3" and "v4".
It is likely that the attacker obtained and used domain administrator privileges to write files to SYSVOL. On the infected hosts, the attacker ran PowerShell code that created a schedule job to open, decrypt, and run the malware.
Malware decryption
We tried several ways to decrypt the samples to no avail:
We were almost ready to give up when we decided to try the "Magic" way of the magnificent
Utilities by GCHQ. "Magic" tries to guess the encryption of a file by brute-forcing passwords for different types of encryption and measuring the entropy.
Translator's Note See и . This article and comments do not provide for discussion by the authors of the details of the methods used both simply in third-party and proprietary software.
Magic determined that a base64-encoded GZip packer was used, so we were able to decompress the file and find the code to embed - the "injector".
Dropper: There's an epidemic in the area! Head vaccinations. FMD"
The dropper was a normal .NET file without any protection. After reading the source code with we realized that its only purpose was to inject shellcode into the winlogon.exe process.
Shellcode or simple complexities
We used the Hexacorn authoring tool − in order to "compile" the shellcode into an executable file for debugging and analysis. We then found that it worked on both 32 and 64 bit machines.
Writing even simple shellcode in native assembler translation can be difficult, but writing full shellcode that works on both kinds of systems requires elite skills, so we started to marvel at the sophistication of the attacker.
When we parsed the compiled shellcode with , we noticed that he loaded .NET dynamic libraries , such as clr.dll and mscoreei.dll. This seemed strange to us - usually attackers try to make the shellcode as small as possible by calling native OS functions instead of loading them. Why would anyone need to embed Windows functionality into the shellcode instead of calling it directly on demand?
As it turned out, the author of the malware did not write this complex shellcode at all – they used specific software for this task in order to translate executable files and scripts into shellcode.
We found a tool , which we thought could compile a similar shellcode. Here is its description from GitHub:
Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET assemblies). This shellcode can be injected into any Windows process to execute in
random access memory.
To confirm our theory, we compiled our own code using Donut and compared it to the sample - and ... yes, we found another component of the toolkit used. After that, we were already able to extract and analyze the original .NET executable.
Code protection
This file has been obfuscated with :
ConfuserEx is an open source .NET project for protecting the code of other developers. This class of software allows developers to protect their code from reverse engineering in ways such as character substitution, control flow masking, and reference method hiding. Malware authors use obfuscators to avoid detection and to make reverse engineering more difficult.
thanks we unpacked the code:
Bottom line - payload
The resulting payload is a very simple ransomware virus. No mechanism to ensure presence in the system, no connections to the command center - just good old asymmetric encryption to make the victim's data unreadable.
The main function takes the following strings as parameters:
- File extension to use after encryption (SaveTheQueen)
- Author's email to put in ransom note file
- Public key used to encrypt files
The process itself looks like this:
- The malware examines local and mapped drives on the victim's device
- Looking for files to encrypt
- Attempts to terminate a process using a file it is about to encrypt
- Renames the file to "Original_file_name.SaveTheQueenING" using the MoveFile function and encrypts it
- After the file is encrypted with the author's public key, the malware renames it again, now to "Original_file_name.SaveTheQueen"
- A ransom note is being written to the same folder
Based on the use of the native "CreateDecryptor" function, one of the malware's functions appears to contain a decryption mechanism as a parameter, requiring a private key.
ransomware virus DOES NOT encrypt filesstored in directories:
c:windows
C: Program Files
C: Program Files (x86)
C:Users\AppData
c:inetpub
Also he Does NOT encrypt the following types of files:EXE, DLL, MSI, ISO, SYS, CAB.
Results and conclusions
Even though the ransomware itself did not contain any unusual features, the attacker creatively used Active Directory to spread the dropper, and the malware itself presented us with interesting, if ultimately not difficult, obstacles during analysis.
We think that the author of the malware:
- Wrote a ransomware virus with a built-in injection into the winlogon.exe process, as well as
file encryption and decryption functionality - Disguised the malicious code with ConfuserEx, converted the result with Donut and additionally hidden the base64 Gzip dropper
- Gained elevated privileges on the victim's domain and used them to copy
encrypted malware and scheduled tasks to the SYSVOL network folder of domain controllers - Run a PowerShell script on domain devices to spread malware and log attack progress to SYSVOL logs
If you have any questions about this ransomware variant, or any other forensic and cybersecurity investigations done by our teams, or request where we always answer questions as part of a Q&A session.
Source: habr.com