cryptojacking – SonicWall

Clipboard Hijacker Dropped By STOP Ransomware

Recently we have seen multiple droppers dropping infostealers or banking trojans along with ransomware. Few weeks ago our researchers at SonicWall labs observed a clipbanker i.e. Clipboard Hijacker being dropped by djvu(STOP) ransomware.

Behaviour:
The Clipboard Hijacker malware was downloaded from URL hxxp://acacaca[.]org/files/1/build3[.]exe at path <Appdata>\Local\<UuId>\build3.exe. The dropped malware first uses dynamic API resolution to load APIs needed for further operations. It also makes sure that there is no other instance running by creating mutex "M5/610HP/STAGE2". The name might implicate that this is the next stage of attack after ransomware execution.
It creates self copy at path <AppData>\Roaming\Microsoft\Network\mstsca[.]exe. This self copy is later executed using a scheduled task "Azure-Update-Task". Task is scheduled to run every minute. The malware terminates itself after completing setting up scheduled task.

Fig 1. Scheduled Task

The mstsca[.]exe does the main clipboard hijacking activity. This again checks for mutex "M5/610HP/STAGE2" to confirm single instance is running at a time. The clipboard data is retrieved using GetClipboardData API. This data is then checked for string terminatore to check for separate strings in data.

Fig 2. String Check

Once found a string, length of string is calculated and cross-checked with the length of desired wallet address lengths.
After confirming desired length it checks for starting characters of the expected wallet addresses. In some cases few wallets have same length but these are differentiated based on initial characters. Below mentioned is the code snippet checking for bitcoin wallet address(Native SegWit addresses start with bc1q).

Fig 3. Bitcoin Wallet Check

This address from the retrieved clipboard is replaced by the address of same cryptocurrency already present in the binary. It continues to check for presence of other addresses till the clipboard data ends.
The replaced wallet addresses are copied to the current clipboard. The clipboard is cleared using EmptyClipboard and then the new data containing malware's wallet addresses is copied to clipboard using SetClipboardData.

Fig 4. Clipboard Data Replace

After this, it sleeps for very short time and continues to check for clipboard data.

The malware has multiple wallet addresses of different wallets. One of the binance wallet from the list was mentioned in a magazin's tweet(hxxps://twitter[.]com/westafricaweek/status/1471631329829834753). For this address, we have mentioned last one month's amount received in below table.

Wallets:

Address	Wallet	Amount Received($)
1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z	bitcoin	1,224.97
3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP	bitcoin	0
bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v	bitcoin	0
bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23	binance	63,337,185
DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc	dogecoin	0
0xa6360e294DfCe4fE4Edf61b170c76770691aA111	ETH	918.67
LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis	LitCoin	0
MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk	LitCoin	0.23
ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym	LitCoin	0
t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN	Zcash	0
Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE	Cardano	482.80
addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl	Cardano	6,683.23

Monero:
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ

Although the malware has smaller functionality it may cause huge financial losses to victims. SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOCs:
Stop Ransomware(parent file):
327224ab99915741b54b4e5b836ea8248cf2fe90d2113271422095cea8211d96

Clipboard Hijacker(dropped):
hxxp://acacaca[.]org/files/1/build3[.]exe
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0(build3.exe)

September 30, 2022/by

cryptojacking, cryptominer, cryptostealer, infostealer, malware, news, spotlight

A look at TeamTNT's latest variant being actively used in the wild

The SonicWall Capture Labs threat research team analyzed the latest cryptomining and infostealing Trojan from a well-known malware group called TeamTNT. They are known to target vulnerable *nix systems and would deploy cryptominer and a myriad of other tools for reconnaissance and infostealing.

Infection Cycle:

The sample comes as a bash script. To establish a clean slate, upon execution it calls a function that will find, kill and remove all running cryptomining services.

Also while getting rid of cryptominers, it adds another bash script as a lock file which when executed will echo and read "Forbidden Action!!! TeamTNT is watching you."

It then sets up its own cryptominer by downloading and installing XMrig, an open source Monero miner.

Upon setup and execution of the cryptominer, a TeamTNT-branded greeting is shown.

It then runs another function called makesshaxx to set up SSH key which then allows TeamTNT to securely access the victim machine over an unsecured network.

It then deploys an open source rootkit called Diamorphine which it uses to hide itself.

It begins as a base64 encoded tar file.

Which is then decoded, decompressed, built and installed.

And then finally executed by running the command "insmod diamorphine.ko"

It also locks up the system and ensures full control by deleting cronjobs and locking cron.

It also redirects standard output and errors to null when the victim tries to shutdown or reboot the system.

And finally it has a function that uses another open source tool called, punk.py which is an SSH post-exploitation tool that is used to collect usernames, ssh keys and known hosts from a unix system, then tries to connect via ssh to all the combinations found.

The python script is hidden as a base64 encoded value.

But once decoded reveals the punk.py tool.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

GAV: Coinminer.AIY (Trojan)
GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

June 10, 2022/by

cryptojacking, cryptominer, cryptostealer, infostealer, malware, news, spotlight

Cryptojackers target servers running Alibaba Cloud

This week the Sonicwall Capture Labs Research team analyzed malware samples that appear to be targeting one of the popular cloud computing platforms, Alibaba Cloud (Aliyun). Alibaba Cloud might not be the first name that comes to mind when you think of cloud computing service providers. However, it is the 4^th largest cloud provider globally behind Amazon Web Services, Microsoft Azure and Google Cloud, thus a very appealing target to cybercriminals. The end goal of this malware is to use the victim machine for mining cryptocurrencies.

Infection cycle:

The malware arrives as a bash script. Upon execution it disables Alibaba cloud monitoring agents and cloud assistant service. These services allow for monitoring resources and applications and set alarms for difference scenarios. Disabling these services lets the malware execute without possibly notifying the owner of the victim machine when certain metrics or rules have been triggered.

It then proceeds to disable other processes and cryptomining services that can compete with the CPU resources. These commands are within a function named “kill_miner_proc().”

TeamTNT and Kinsing are two of the top threat groups dominating the cryptojacking arena by infiltrating vulnerable servers for the purpose of running cryptominers. This malware has a special function named “fuckyou()” specifically targeting processes and other files known to be used by the aforementioned cybercriminal groups effectively disabling them if present in the infected system. This establishes a clean slate for when this malware finally runs its cryptominer.

It then proceeds to download XMRig miner and executes it.

To maintain persistence it deletes the current cronjob and adds the miner process and a copy of itself into cron.

And the entire infection cycle continues.

It is unlikely that the owner of a compromised server will notice the issue right away. Unlike with ransomware, where the victim is made aware of the infection so the cybercriminal can collect its dues, attacks such as this can quietly run in the background, silently profit without demanding a ransom and persist for a long period of time.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

GAV: Coinminer.AIY (Trojan)
GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

November 19, 2021/by

cryptojacking, cryptominer, cryptostealer, malware, ransomware

AtomSilo hits large Brazilian company in $1M double extortion scheme

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes. The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company. The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees. A $500,000 ransom is offered for 48 hours. After this, the ransom is increased to $1M in Bitcoin. Failure to pay will result in the sensitive data being released to the public.

Infection Cycle:

Upon infection of the ransomware component, files on the system are encrypted. Each encrypted file is given a ".ATOMSILO" file extension.

After encryption, the following message is brought up on the infected machine's desktop:

The following files are dropped on to the system:

README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)

The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:

The "LIST LEAK" button shows a company that is in the process of being extorted by the operators:

The "GO TO POST" button brings up a page that shows a summary of the data that has been obtained by the attackers:

This page is very long and contains samples of the sensitive data that has been obtained:

The leak also includes company financial data and employee contact information:

We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

October 1, 2021/by

cryptojacking, malware, ransomware

Conti operator demands $20M from victim. Faces litigation backlash instead

The SonicWall Capture Labs threat research team have recently been tracking Conti ransomware. It has been reported that Conti has been connected with over 400 cyberattacks against organizations around the world. In addition to encrypting files and holding them hostage for ransom, attackers attempt to increase chances of payout by threatening to publish sensitive data that is stolen from company networks. Such double-extortion schemes are a growing trend with ransomware.

Infection Cycle:

Conti ransomware is aimed at large company networks. The initial infection is handled manually by the attackers and would usually start with phishing attempts or firewall exploits. Once inside a network, a Cobalt Strike beacon is introduced onto the system to communicate with the attacker's C2 server. Once the backdoors are established, the attackers propogate malware further within the network and begin to exfiltrate sensitive data that will be used later on for extortion. After this, Conti malware is deployed.

Conti malware uses the following icon:

Upon infection, files on the system are encrypted. Each encrypted file is given a .FEEDC extension. A file named readme.txt is dropped into directories containing encrypted files. It contains the following message:

https://contirecovery.top is down but the tOr link leads to the following page:

After uploading readme.txt to the tOr website, the following conversation can be seen between a prior victim and the operator.

As seen in the message above, the operator demands a staggering $20M for file decryption.

After a few days, the victim fights back with litigation:

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: Conti.RSM (Trojan)
GAV: Conti.RSM_2 (Trojan)
GAV: Conti.RSM_3 (Trojan)
GAV: Conti.RSM_4 (Trojan)
GAV: Cobaltstrike.A_1 (Trojan)
GAV: Cobaltstrike.A_2 (Trojan)
GAV: Cobaltstrike.A_3 (Trojan)
GAV: Cobaltstrike.A_4 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

May 27, 2021/by

cryptojacking, malware, ransomware

Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval

The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi. This ransomware family has been around since early 2018 and is reported to have originated from Russia. The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.

Infection Cycle:

Upon infection, files on the system are encrypted and given a "_cU_{<6 alphanumeric char>}Cukiesi" extension to their filenames:

nooode.txt is dropped into all directories where files were encrypted. It contains the following ransom message:

We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:

The protonmail address had been deactivated but we received a response from the tutanota.com email address:

The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:

We are still awaiting a reply.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

February 5, 2021/by

cryptojacking, malware, ransomware, spotlight

BadBoy ransomware, variant of Spartacus charges $1000 for decryption

The SonicWall Capture Labs threat research team have observed reports of ransomware that encrypts files and appends a ".BadBoy" extension to their names. This variant of the malware is new but is based on Spartacus ransomware which was first seen in early 2018. Like Spartacus, it is written in .NET and uses a ransom page that is similar in appearance. However, in this variant, the code is not obfuscated.

Infection Cycle:

Upon execution, files are encrypted and the following message is displayed on the desktop:

Files encrypted by the malware are given a .BadBoy extension.

The malware drops ReadME-BadboyEncryption.txt on to the desktop. It contains the following message:

As the malware is written in .NET, it is easy to decompile and analyse. Initial inspection of the decompiled output paints a clear picture of the malware's intentions:

BadBoy code layout

The code layout of the BadBoy variant is simple compared to Spartacus' layout which is obfuscated:

Spartacus obfuscated code layout

Further inspection shows the directories and file extensions that are targeted for encryption:

Files of the following filetypes are sought out and encrypted:

.exe, .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xls b, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, .ndf, .pdf, .ib, .ibk, .bkp, .dll, pdb, .dat, .File, .ini, .bin, .PC, loli, .sys, .log, .xml, .vir, .prx, .ds, .mui, .amx, .aep, .csproj, .sln, .cs, .ico, .license, .vb, .resx, .vbproj, .settings, .asset, .json, .db, .md, .ios, .app, .xaml, .snk, .appxmanifest, .asax, .html, .index, .config, .cshtml, .js, .map, .ttf, .css, .aspx, .Master, .nff, .save, .vdproj, .info, .nfo, .flp, .suo, .rec, .studioonemacro, mid, .nvram, .vmsd, .vmx, .vmxf, .wav, .bbc, .cat, .daa, .cue, .nrg, .img, .mds, .ashdisc, .bwi, .b5i, .gi, .cdi, .pdi, .p01, .pxi, .ncd, .c2d, .cif, .lcd, .fcd, .vcd, .dmg, .bif, .uif, .isz, .wim, .ima, .package, .langpack, .cfg, .data, .PNF, .inf, .xsd, .cab, .dmp, .theme, .jnt, .msc, .cd, .user, .manifest, .application, .deploy, .c, .h, .filters, .vcxproj, .sqlproj, .cache, .dacpac, .pdb, .pub, .mpp, .ssk, .wtv, .SFX, .chm, .lst, .ion, .Targets, .lng, .ulf, .xsl, .tmp, .lock, .inc.php, .lib, .pm, .frm, .hlp, .it, .inc, .b4a, .bas, .scss, .nsi, .cgi, .var, .ax, .pck, .bik, .qtr, .vfs0, .vfx, .webm, .webcam, .rpkg, .xpi, .rc, .spr, .res, .tga, .video, .mdl, .lmp, .sc, .lua, .md5, .vst, .awk, .nki, .reg, .7z, .ace, .arj, .bz2, .cab, .gz, .jar, .lz, .lzh, .tar, .uue, .xz, .db, .dbs, .dll, .z, .ogg, .apk, .md, .dewar, .rst, .plist, .tmSnippetz

The key used to encrypt files can be found in the decompiled output. However, this is not sufficient for decryption as the algorithm (RSA) is asymmetric and the private key (held only by the operators) is required to decrypt files:

We contacted the operators via email as instructed in the ransom message and had the following conversation:

$1000 in bitcoin to 1E7iXR1w7DVnzZPd8vYv9QVYHgN3eoZMWY is demanded:

The next day we even received a final warning:

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: BadBoy.RSM (Trojan)
GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

July 1, 2020/by

cryptojacking, cryptostealer, infostealer, malware, news, ransomware

Hiddentear ransomware variant encrypts and gives files .poop extension

The SonicWall Capture Labs Threat Research Team have received reports of ransomware that encrypts files and gives them a .poop extenstion. The malware is created based on the open source platform known as HiddenTear. The operator charges 0.12277114 BTC ($1200 USD) for decryption.

Infection Cycle:

Upon infection, files on the system are encrypted and the desktop background is changed to the following image:

A window pops up with the following message:

The trojan is seen in the process list running as "Ranso":

The trojan drops the following files onto the system:

%SYSTEMDRIVE%\Users\%USERNAME%\Desktop\READ_IT.txt
%SYSTEMDRIVE%\%USERNAME%\bg.jpg (desktop background image shown above)
%SYSTEMDRIVE%\%USERNAME%\Rand\local.exe (copy of original) [Detected as: GAV: Hiddentear.RSM_22 (Trojan)]

Encrypted files are renamed with ".poop" appended to their original filenames.

READ_IT.txt contains the following text:

The trojan makes the following DNS query:

hostfs1mai.temp.swtest.ru

The infection is reported to a remote server and leaks system information:

The ransom note suggests using Telegram to contact @CyberDexter, the operator. We had the following brief conversation via Telegram with @CyberDexter discussing payment:

The operator offers reassurence that they have control of decryption keys for their victims.

The transaction history for the supplied bitcoin address (1K3YKBq8qGrnmJ7TKkLbTiGL59UHBYh7LF) suggests that the operator may have had some success:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

GAV: Hiddentear.RSM_22 (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

June 21, 2019/by

cryptojacking, malware, news, ransomware, spotlight

Fake Ransomware just overwrites MBR but demands payment

The SonicWall Capture Labs Threat Research Team have recently come across a fake ransomware trojan that pretends to hold a victim's files hostage. Although its ransom message is intimidating and a Monero address is provided for $200 payment there is no encryption functionality present in the malware.

Infection Cycle:

The attacker has made no effort to hide the functionality of the malware. It was written in Delphi and is so straigtforward that even a simple listing of strings in the binary instantly reveal its purpose:

Running the executable through a debugger reveals its runtime functionality. The first step is to verify whether physical access to the system drive is possible using the CreateFileA and ReadFile API calls:

If the above test passes, it proceeds to open a handle to the physical drive again and overwrite the MBR using the WriteFile API call:

Arguments on the stack point to the ransom text to be displayed after reboot:

After succesfully overwriting the MBR with the ransom text, the trojan executes "shutdown -r -f -t 0" using WinExec to immediately reboot the system:

Upon reboot, the following ransom text is displayed and the machine is unable to boot as normal:

The only modification to the filesystem is the overwritten MBR. No files have actually been encrypted and there is no encryption functionality present in the malware. Although files can easily be restored by mounting the filesystem using a live OS booted via a memory stick, most users will likely consider their files gone and perform a full reinstall. There is no contact information provided to "restore" files and no way of verifying if paying the $200 in Monero will suffice.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: KillMBR.RSM (Trojan)

November 20, 2018/by

cryptojacking, intrusions, malware, ransomware

SymmiWare Ransomware will only decrypt after Nov 25th

The SonicWall Capture Labs Threat Research Team have recently spotted a ransomware trojan calling itself SymmiWare. There have been other malware named "Symmi" in the past, however, this ransomware does not appear to be related. SymmiWare is unusual in that the operators are only offering decryption after November 25th 2018. The supplied email address in the ransom note is not currently active but is expected to be after this date.

Infection Cycle:

The trojan uses the following icon:

Upon running the executable the trojan reports the infection to a remote server:

The trojan encrypts files on the system and appends ".SYMMYWARE" to the file extension of each encrypted file. It also drops SYMMYWARE.TXT into every directory containing encrypted files.

SYMMYWARE.TXT contains the following text:

We tried to contact the operators via simmyware@protonmail.ch but as stated in the above message the address is not yet active:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: Symmi.RSM (Trojan)

November 2, 2018/by