A new ransomware Nemty has appeared on the network, which is supposedly the successor to GrandCrab or Buran. The malware is mainly distributed from the fake PayPal site and has a number of interesting features. Details about the operation of this ransomware are under the cut.
New Nemty ransomware discovered by user September 7, 2019. The malware was distributed through a website , it is also possible for ransomware to penetrate the computer through the RIG exploit kit. The attackers used social engineering methods to force the user to run the cashback.exe file, which he allegedly receives from the PayPal website. It is also curious that Nemty has the wrong port for the local Tor proxy service, which prevents malware from sending data to the server. Therefore, the user will have to upload the encrypted files to the Tor network himself if he intends to pay the ransom and wait for the decryption from the attackers.
A few interesting facts about Nemty suggest that it was developed by the same people or cybercriminals associated with Buran and GrandCrab.
- Like GandCrab, Nemty has an Easter egg — a link to a photo of Russian President Vladimir Putin with a foul joke. The outdated GandCrab ransomware had an image with the same text.
- The language artifacts of both programs point to the same Russian-speaking authors.
- It is the first cryptor to use an 8092-bit RSA key. Although there is no point in this: a 1024-bit key is quite enough to protect against hacking.
- Like Buran, the ransomware is written in Object Pascal and compiled in Borland Delphi.
Static Analysis
The malicious code is executed in four stages. The first step is to launch cashback.exe, a PE32 executable file for MS Windows The program is 1198936 bytes in size. Its code is written in Visual C++ and compiled on October 14, 2013. It contains an archive that is automatically unpacked when cashback.exe is launched. The software uses the Cabinet.dll library and its FDICreate(), FDIDestroy(), and other functions to retrieve files from the .cab archive.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
After unpacking the archive, three files will appear.
Next, temp.exe, a PE32 executable file for MS, is launched. Windows The file size is 307200 bytes. The code is written in Visual C++ and packed with the MPRESS packer, a packer similar to UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
The next step is ironman.exe. When run, temp.exe decrypts the embedded data to temp and renames it to ironman.exe, a 32 byte PE544768 executable. Code compiled in Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
The last step is to restart the ironman.exe file. At runtime, it transforms its code and runs itself from memory. This version of ironman.exe is malicious and is responsible for encryption.
Attack vector
At the moment, the Nemty ransomware is distributed through the pp-back.info website.
The full chain of infection can be viewed at sandbox.
Installation
Cashback.exe - the beginning of the attack. As already mentioned, cashback.exe unpacks the .cab file it contains. It then creates a TMP4351$.TMP folder of the form %TEMP%IXxxx.TMP, where xxx is a number between 001 and 999.
Next, the registry key is set, which looks like this:
[HKLMSOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionRunOncewextract_cleanup0]
“rundll32.exe” “C:Windowssystem32advpack.dll,DelNodeRunDLL32 “C:UsersMALWAR~1AppDataLocalTempIXPxxx.TMP””
It is used to delete unpacked files. Finally, cashback.exe starts the temp.exe process.
Temp.exe is the second stage in the infection chain
This is a process launched by the cashback.exe file, the second step of the virus's execution. It attempts to download AutoHotKey, a tool for running scripts under Windows — and run the WindowSpy.ahk script located in the resource section of the PE file.
The WindowSpy.ahk script decrypts the temp file into ironman.exe using the RC4 algorithm and the password IwantAcake. The key from the password is obtained using the MD5 hashing algorithm.
Then temp.exe calls the ironman.exe process.
Ironman.exe - third step
Ironman.exe reads the contents of the iron.bmp file and creates the iron.txt file with the cryptolocker that will run next.
The virus then loads iron.txt into memory and restarts it as ironman.exe. After that, iron.txt is deleted.
ironman.exe is the main part of the NEMTY ransomware, which encrypts files on the affected computer. The malware creates a mutex called hate.
First of all, it determines the geographical location of the computer. Nemty opens the browser and finds out the IP on . Online [IP]/countryName The received IP determines the country, and if the computer is located in one of the regions listed below, the execution of the malware code stops:
- United States of America
- Byelorussia
- Ukraine
- Kazakhstan
- Tajikistan
Most likely, the developers do not want to attract the attention of law enforcement agencies in their countries of residence, and therefore do not encrypt files in their “native” jurisdictions.
If the victim's IP address does not belong to the list above, then the virus encrypts the user's information.
To prevent file recovery, their shadow copies are deleted:
It then creates a list of files and folders that will not be encrypted, as well as a list of file extensions.
- windows
- $ RECYCLE.BIN
- rsa
- NTDETECT.COM
- ntldr
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- CONFIG.SYS
- BOOTSECT.BAK
- Bootmgr
- programdata
- appdata
- osoft
- Common Files
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Obfuscation
To hide URLs and embedded configuration data, Nemty uses the base64 and RC4 encoding algorithm with the passphrase fuckav.
The decryption process using CryptStringToBinary is as follows
Encryption
Nemty uses three-layer encryption:
- AES-128-CBC for files. The 128-bit AES key is randomly generated and is the same for all files. It is stored in a configuration file on the user's computer. The IV is randomly generated for each file and stored in an encrypted file.
- RSA-2048 file encryption IV. The key pair for the session is generated. The private key to the session is stored in the configuration file on the user's computer.
- RSA-8192. The master public key is built into the program and is used to encrypt the configuration file that stores the AES key and the private key for the RSA-2048 session.
- Nemty first generates 32 bytes of random data. The first 16 bytes are used as the AES-128-CBC key.
The second encryption algorithm is RSA-2048. The key pair is generated by the CryptGenKey() function and imported by the CryptImportKey() function.
After the key pair for the session is generated, the public key is imported into the MS Cryptographic Service Provider.
An example of a generated public key for a session:
Next, the private key is imported into the CSP.
An example of a generated private key for a session:
And the last one is RSA-8192. The master public key is stored encrypted (Base64 + RC4) in the .data section of the PE file.
The RSA-8192 key after base64 decoding and RC4 decryption with the password fuckav looks like this.
As a result, the whole encryption process looks like this:
- Generate a 128-bit AES key that will be used to encrypt all files.
- Create an IV for each file.
- Creating a key pair for the RSA-2048 session.
- Decrypting an existing RSA-8192 key using base64 and RC4.
- Encrypt file contents using the AES-128-CBC algorithm from the first step.
- IV encryption with RSA-2048 public key and base64 encoding.
- Adding an encrypted IV to the end of each encrypted file.
- Adding AES key and RSA-2048 session private key to config.
- Configuration data described in section information about the infected computer are encrypted using the RSA-8192 master public key.
- The encrypted file looks like this:
Example of encrypted files:
Collection of information about an infected computer
The ransomware collects the keys to decrypt the infected files so that the attacker can actually create the decryptor. In addition, Nemty collects user data such as username, computer name, hardware profile.
It calls the GetLogicalDrives(), GetFreeSpace(), GetDriveType() functions to collect information about the infected computer's drives.
The collected information is stored in a configuration file. After decoding the string, we get a list of options in the configuration file:
Sample configuration of an infected computer:
The configuration template can be represented as follows:
{"General": {"IP":"[IP]","Country":"[Country]","ComputerName":"[ComputerName]","Username":"[Username]","OS": »[OS]","isRU":false,"version":"1.4","CompID":"{[CompID]}","FileID":"_NEMTY_[FileID]_","UserID":"[ UserID]","key":"[key]","pr_key":"[pr_key]
Nemty stores the collected data in JSON format in the %USER%/_NEMTY_.nemty file. The 7 character FileID is randomly generated. For example: _NEMTY_tgdLYrd_.nemty. The FileID is also added to the end of the encrypted file.
Ransom Notice
After encrypting the files, the _NEMTY_[FileID]-DECRYPT.txt file appears on the desktop with the following content:
At the end of the file is encrypted information about the infected computer.
Network communication
The ironman.exe process downloads the Tor Browser distribution from the address and trying to install it.
Nemty then attempts to send configuration data to 127.0.0.1:9050, where it expects to find a running Tor browser proxy server. However, by default, the Tor proxy server listens on port 9150, and port 9050 is used by the Tor daemon. Linux or Expert Bundle on WindowsThis way, no data is sent to the attacker's server. Instead, the user can download the configuration file manually by visiting the Tor decryption service via the link provided in the ransom message.
Connecting to a Tor proxy:
HTTP GET creates a request to 127.0.0.1:9050/public/gate?data=
Here you can see the open TCP ports that are used by the TORlocal proxy:
Nemty decryption service on the Tor network:
You can upload an encrypted photo (jpg, png, bmp) to test the decryption service.
After that, the attacker asks to pay a ransom. In case of non-payment, the price doubles.
Conclusion
At the moment, it is not possible to decrypt files encrypted by Nemty without paying a ransom. This version of the ransomware has common features with Buran ransomware and the outdated GandCrab: compilation on Borland Delphi and images with the same text. In addition, this is the first encryptor that uses an 8092-bit RSA key, which, again, does not make any sense, since a 1024-bit key is quite enough for protection. Finally, and curiously, it tries to use the wrong port for the local Tor proxy service.
However, decisions и prevent the Nemty ransomware from accessing user PCs and data, and providers can protect their customers with ... Full provides not only backup, but also protection using , a special technology based on artificial intelligence and behavioral heuristics, which allows you to neutralize even yet unknown malware.
Source: habr.com
