RZML ransomware exfiltrates files, cookies and clipboard data

September 8, 2023

The SonicWall Capture Labs threats research team has been tracking a recent family of ransomware called RZML.  This ransomware appeared in the wild over the last 7 days and appears to be a variant of the STOP/Djvu family.  The sample we analyzed is a dropper that downloads multiple modules.  In addition to encrypting files, which is standard practice for ransomware, it also steals files, clipboard and browser cookie data from the infected system.  File decryption costs $490 USD in bitcoin after a “50% discount”.  However, as we have seen with most ransomware today, exfiltrated files can be used later to apply additional pressure to pay up.

 

Infection Cycle:

 

Upon execution, the malware reports the infection to a C&C server which replies with a public key used for file encryption:

 

It also requests data on what file types to target for exfiltration:

 

It proceeds to download the ransomware module and names it build2.exe:

 

It downloads a clipboard grabber component and names it build3.exe:

 

It also downloads htdocs.zip which contains some utility dlls including an sqlite database module:

 

Files on the system are encrypted and given a .rzml extension.

 

The following files are added to the filesystem:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Network\mstsca.exe [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build2.exe [Detected as: GAV: StopCrypt.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build3.exe (copy of mstsca.exe) [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • C:\SystemID\PersonalID.txt
  • %USERPROFILE%\AppData\Local\bowsakkdestx.txt
  • C:\ProgramData\55054064606124780548020057 (sqlite database)
  • _readme.txt (written to all directories with encrypted files)

 

The following registry entries are made:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatability Assistant\Store {malware file}

 

PersonalID.txt contains the following data:

M5o7GW95xOUM45FRYk7SEflLRpNXVqiExQDcPCGh

 

bowsakkdestx.txt contains the public key that was downloaded earlier:

 

_readme.txt contains the following message:

 

When build3.exe is run, it uses the CreateMutex API function with “M5/610HP/STAGE2” as the parameter to check if it has been run previously:

 

If this mutex is not present, it proceeds to grab clipboard data:

 

 

The malware also steals browser cookies.  It stores this data in a sqlite database.  The following screenshot shows the database structure:

 

We visited chase.com and bankofamerica.com and can see that the cookies are stored in the database:

 

Targeted files, clipboard data and cookies stored in the sqlite database are uploaded to a remote server:

 

We reached out to the operator email addresses (support@freshmail.top, datarestorehelp@airmail.cc) stated in the ransom note and received the following reply:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ClipBanker.RSM (Trojan)
  • GAV: StopCrypt.RSM (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.