Nooa ransomware seeks out your crypto wallets and passwords

The SonicWall Capture Labs threat research team has recently been tracking malware that does more than encrypt files and demand a ransom.  In the ransomware space there has been an increase in malware that also steals data from infected machines.  Some ransomware actors use this data to extort even more money from their victims.  These ransomware actors, however, are interested in stealing crypto wallets, browser cookies and passwords.

Infection Cycle:

Upon infection, the file encryption process starts immediately.  Files hosted on any attached external or network drives are also encypted.  Encrypted files are given a “.nooa” filename extension.

The following DNS requests are made by the malware:

• api.2ip.ua
• securebiz.org
• astdg.top
• prophefliloc.tumblr.com

The following files are downloaded onto the system:

• C:\SystemID\PersonalID
• %SYSTEMDRIVE%\_readme.txt
• %SYSTEMDRIVE%\$WinREAgent\_readme.txt
• %SYSTEMDRIVE%\$WinREAgent\Scratch\_readme.txt
• %USERPROFILE%\_readme.txt
• %APPDATA%\Roaming\Microsoft\Windows\Recent\_readme.lnk
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\4EQF0LUO\msvcp140[1].dll
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\LHLB6AIE\nss3[1].dll
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\freebl3[1].dll
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\softokn3[1].dll
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\mozglue[1].dll
• %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\vcruntime140[1].dll
• %APPDATA%\Local\{rand}\build2.exe [Detected as: GAV: Conficker.gen (Worm)]

PersonalID contains an ID that is unique to each infection:

PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1

_readme.txt contains the following message:

The malware downloads and runs build2.exe:

build2.exe reports the infection to a C&C server and receives data from it:

Decompression of the data above reveals the following message containing files targeted for exfiltration:

DESKTOP;%DESKTOP%\;*wallet*.*:*2fa*.*:*backup*.txt:*backup*.png:*backup*.jpg:*code*.txt:*code*.png:*code*.jpg:*password*.*:*auth*.txt:*auth*.png:*auth*.jpg:*crypto*.*:*key*.txt:*key*.png:*key*.jpg:*ledger*.*:*metamask*.*:*blockchain*.*:*bittrex*.*:*binance*.*:*coinbase*.*:*trezor*.*:*exodus*.*:*UTC--201*.*;300;true;movies:music:mp3;lnk;

build2.exe then searches the system for the filetypes and directories listed above.  This includes 2fa data, crypto wallets and browser cookies.  If such data is found, it is compressed and uploaded to the C&C server in zip format.  The malware also captures and sends system information and a screenshot of the desktop:

information.txt contains system information from the infected machine:

We reached out to the email addresses provided in the ransom message and received the following response:

SonicWall Capture Labs provides protection against this threat via the following signatures:

• GAV: Waledac.gen.2 (Worm)
• GAV: Conficker.gen (Worm)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.