Nooa ransomware seeks out your crypto wallets and passwords

August 12, 2021

The SonicWall Capture Labs threat research team has recently been tracking malware that does more than encrypt files and demand a ransom.  In the ransomware space there has been an increase in malware that also steals data from infected machines.  Some ransomware actors use this data to extort even more money from their victims.  These ransomware actors, however, are interested in stealing crypto wallets, browser cookies and passwords.

 

Infection Cycle:

 

Upon infection, the file encryption process starts immediately.  Files hosted on any attached external or network drives are also encypted.  Encrypted files are given a “.nooa” filename extension.

 

The following DNS requests are made by the malware:

  • api.2ip.ua
  • securebiz.org
  • astdg.top
  • prophefliloc.tumblr.com

 

The following files are downloaded onto the system:

 

  • C:\SystemID\PersonalID
  • %SYSTEMDRIVE%\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\Scratch\_readme.txt
  • %USERPROFILE%\_readme.txt
  • %APPDATA%\Roaming\Microsoft\Windows\Recent\_readme.lnk
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\4EQF0LUO\msvcp140[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\LHLB6AIE\nss3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\freebl3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\softokn3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\mozglue[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\vcruntime140[1].dll
  • %APPDATA%\Local\{rand}\build2.exe [Detected as: GAV: Conficker.gen (Worm)]

 

PersonalID contains an ID that is unique to each infection:

PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1

 

_readme.txt contains the following message:

 

The malware downloads and runs build2.exe:

 

build2.exe reports the infection to a C&C server and receives data from it:

 

Decompression of the data above reveals the following message containing files targeted for exfiltration:

DESKTOP;%DESKTOP%\;*wallet*.*:*2fa*.*:*backup*.txt:*backup*.png:*backup*.jpg:*code*.txt:*code*.png:*code*.jpg:*password*.*:*auth*.txt:*auth*.png:*auth*.jpg:*crypto*.*:*key*.txt:*key*.png:*key*.jpg:*ledger*.*:*metamask*.*:*blockchain*.*:*bittrex*.*:*binance*.*:*coinbase*.*:*trezor*.*:*exodus*.*:*UTC--201*.*;300;true;movies:music:mp3;lnk;

 

build2.exe then searches the system for the filetypes and directories listed above.  This includes 2fa data, crypto wallets and browser cookies.  If such data is found, it is compressed and uploaded to the C&C server in zip format.  The malware also captures and sends system information and a screenshot of the desktop:

 

information.txt contains system information from the infected machine:

 

We reached out to the email addresses provided in the ransom message and received the following response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Waledac.gen.2 (Worm)
  • GAV: Conficker.gen (Worm)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.