A new strain of ransomware malware encrypts files and adds the ".SaveTheQueen" extension to them, spreading through the SYSVOL system network folder on Active Directory domain controllers.
Our customers encountered this malware recently. We present our full analysis, its results and conclusions below.
Detection
One of our customers contacted us after they encountered a new kind of ransomware that added the ".SaveTheQueen" extension to new encrypted files in their environment.
During our investigation, and more precisely at the stage of searching for sources of infection, we found out that the distribution and tracking of infected victims was carried out using network folder SYSVOL on the customer's domain controller.
SYSVOL is a key folder for each domain controller used to deliver group policy objects (GPOs) and logon and logoff scripts to domain computers. The contents of this folder are replicated between domain controllers to keep this data in sync across the organization's sites. Writing to SYSVOL requires high domain privileges, however, once compromised, this asset becomes a powerful tool for attackers who can use it to quickly and efficiently spread a malicious load across a domain.
The Varonis audit chain helped quickly identify the following:
- The infected user account was creating a file named "hourly" in SYSVOL
- Many log files were created in SYSVOL - each named after a domain device
- Many different IP addresses were accessing the "hourly" file
We concluded that the log files were used to monitor the progress of the infection on new devices, and that "hourly" is a scheduled job that ran a malicious load on new devices using a Powershell script - samples "v3" and "v4".
It is likely that the attacker obtained and used domain administrator privileges to write files to SYSVOL. On the infected hosts, the attacker ran PowerShell code that created a schedule job to open, decrypt, and run the malware.
Malware decryption
We tried several ways to decrypt the samples to no avail:
We were almost ready to give up when we decided to try the "Magic" way of the magnificent
Utilities
Translator's Note See
Magic determined that a base64-encoded GZip packer was used, so we were able to decompress the file and find the code to embed - the "injector".
Dropper: There's an epidemic in the area! Head vaccinations. FMD"
The dropper was a normal .NET file without any protection. After reading the source code with
Shellcode or simple complexities
We used the Hexacorn authoring tool −
Writing even simple shellcode in native assembler translation can be difficult, but writing full shellcode that works on both kinds of systems requires elite skills, so we started to marvel at the sophistication of the attacker.
When we parsed the compiled shellcode with
As it turned out, the author of the malware did not write this complex shellcode at all – they used specific software for this task in order to translate executable files and scripts into shellcode.
We found a tool
Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET assemblies). This shellcode can be injected into any Windows process to execute in
random access memory.
To confirm our theory, we compiled our own code using Donut and compared it to the sample - and ... yes, we found another component of the toolkit used. After that, we were already able to extract and analyze the original .NET executable.
Code protection
This file has been obfuscated with
ConfuserEx is an open source .NET project for protecting the code of other developers. This class of software allows developers to protect their code from reverse engineering in ways such as character substitution, control flow masking, and reference method hiding. Malware authors use obfuscators to avoid detection and to make reverse engineering more difficult.
thanks
Bottom line - payload
The resulting payload is a very simple ransomware virus. No mechanism to ensure presence in the system, no connections to the command center - just good old asymmetric encryption to make the victim's data unreadable.
The main function takes the following strings as parameters:
- File extension to use after encryption (SaveTheQueen)
- Author's email to put in ransom note file
- Public key used to encrypt files
The process itself looks like this:
- The malware examines local and mapped drives on the victim's device
- Looking for files to encrypt
- Attempts to terminate a process using a file it is about to encrypt
- Renames the file to "Original_file_name.SaveTheQueenING" using the MoveFile function and encrypts it
- After the file is encrypted with the author's public key, the malware renames it again, now to "Original_file_name.SaveTheQueen"
- A ransom note is being written to the same folder
Based on the use of the native "CreateDecryptor" function, one of the malware's functions appears to contain a decryption mechanism as a parameter, requiring a private key.
ransomware virus DOES NOT encrypt filesstored in directories:
c:windows
C: Program Files
C: Program Files (x86)
C:Users\AppData
c:inetpub
Also he Does NOT encrypt the following types of files:EXE, DLL, MSI, ISO, SYS, CAB.
Results and conclusions
Even though the ransomware itself did not contain any unusual features, the attacker creatively used Active Directory to spread the dropper, and the malware itself presented us with interesting, if ultimately not difficult, obstacles during analysis.
We think that the author of the malware:
- Wrote a ransomware virus with a built-in injection into the winlogon.exe process, as well as
file encryption and decryption functionality - Disguised the malicious code with ConfuserEx, converted the result with Donut and additionally hidden the base64 Gzip dropper
- Gained elevated privileges on the victim's domain and used them to copy
encrypted malware and scheduled tasks to the SYSVOL network folder of domain controllers - Run a PowerShell script on domain devices to spread malware and log attack progress to SYSVOL logs
If you have any questions about this ransomware variant, or any other forensic and cybersecurity investigations done by our teams,
Source: habr.com