Saturday, 18 August 2018

GandCrab Ransomware Analysis State

Overview

GandCrab Ransomware first appeared in the wild early this year and rapidly evolved over the months. Since its initial manifestation, in January 2018, the ransomware has undergone development and there have been 5 versions of the ransomware in 7 months. It is believed that the malware netted its operators over $600,000 in ransom payments. 

Infection Vector and Ransom

Most commodity malware work by enticing a user to click on link or by sending spam emails to unsuspecting users. Gandcrab is no different.
In case of gandcrab phishing email, it either contains links to malicious Javascripts or dropper file as attachment. The malicious attachments (embedded in MS Office documents) contains malicious scripts and can download exploits from exploit kits or payloads. Similarly, compromised websites host malicious SWF advertisements and JS scripts which runs as endpoint and can also host exploits.


The ransomware is also hosted on compromised websites that appear like software download websites for cracked applications. Attackers leverage vulnerabilities in Internet Explorer and Adobe Flash Player using Exploit Kits to drop the payload and execute it. Various exploit kits like Grandsoft, RIG and Magnitude are used by attackers to distribute Gandcrab.

Evolution of the Ransomware

Gandcrab V1

The initial version of GandCrab ransomware was found to be distributed through malvertising campaign called Seamless that directs victims to a RIG exploit kit. It is also the first ransomware to accept DASH crypto-currency as a ransom payment and demands 1.54 dash (approx. 1200$) as ransom amount. Apart from this, it uses NameCoin’s (decentralized domain name system) “.bit” top-level domain for its C&C system. The ransomware encrypts files and appends “. GDCB” extension. once a system is infected by this ransomware, it first tries to establish connection with the ransomware’s C2 server and the server will send a public key to start the encryption process.

Image: Spam email used to distribute GandCrab

GandCrab V2

Some noticeable changes from the previous version include, updated file extension - .CRAB, updated hostnames for Command & Control servers namely, politiaromana[.]bit, malwarehunterteam[.]bit, gdcb[.]bit.  The content of the ransom note was updated with instructions on communicating with the ransomware developers and to obtain decryption keys.

Image: Encrypted Files with .CRAB extension
Source: https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files

GandCrab V3

GandCrab ransomware version 3 was found to be distributed via the Magnitude exploit kit. This version comes with a low-resolution desktop background, which contains a ransom note text. When installed, it will encrypt files with .CRAB extension, sets the background and automatically reboots the computer. The ransomware communicates with the domain “carder.bit”.

Image: GandCrab Distributed via Magnitude Exploit Kit 

GandCrab V4.0

GandCrab ransomware version 4 was released with few updates to the previous version. Prominent updates includes update to encryption mechanism, extension changed to ‘.KRAB’, updates to ransom note and demanded payment on a new TOR site. The ransomware was distributed via fake software crack sites, which lures the users to download software for free. When user downloads and executes the software, GandCrab ransomware gets installed. Further, it scans the computer and network shares, encrypts all the shares on the network, appends .KRAB extension to it and drops a ransom note. 

GandCrab V4.1

The latest version of the GandCrab ransomware spreads via the NSA’s EternalBlue SMB exploit. It attempts to infect unpatched Windows XP machines and Windows Server 2003 systems along with the latest operating systems. The activity of the ransomware continues to remain constant in all the versions, however, the C2 communication is back in the 4.1 version. The encryption happens on a separate thread than the C&C communication, so the files get encrypted even if it fails to connect to the C&C server.

Technical Analysis 

GandCrab version-3 executable from a server hosted in Canada (hxxp://185.199.225.114:12547). This IP hosts the same executable with different names. Analysis of GandCrab Version 3 is provided.

Image: Domain contains GandCrab executable

Domain/ Server Analysis


Hostname:                              185.199.225.114

IP:Port:                                     185.199.225.114:12547

Registrar:                                 RIPE NCC
Registrar e-mail:                      contact@heymman.com
created:                                   2017-02-23T12:48:32Z
reputation score                     Low
Based on the analysis and research, it was found that the domain is being used for hosting malicious files only. Here is an example of one of the files that was hosted on the server.

File Name: 1.exe

File Details:
File source:      hxxp://185.199.225.114:12547/1.exe (removed)       
File size:           260617 bytes
File type:          PE32 executable(.exe)
MD5:               ff6745411cc69bee286e17f4fba69b35
SHA 256:         747c3e82813bf85e4fdff7e7c1fc277d7ad82526b20224e5c5959e9eebc54225
Detection:       58 / 69 

GandCrab Behavioural Analysis




While performing the dynamic analysis on GandCrab malware many malicious activities have been detected:

Queries for the computername (1 event)

            Using GetComputerNameW windows API GandCrab gets system name.


Checks if process is being debugged by a debugger (1 event)

            Using IsDebuggerPresent windows API GandCrab gets checks to debugger is present or not.


Uses Windows APIs to generate a cryptographic key (3 events)

Using CryptGenKey windows API GandCrab generate RSA1 cryptographic algorithms and generate buffer into system memory.


Checks adapter address which can be used to detect virtual network interfaces (1 event)

Using GetAdaptersAddresses windows API GandCrab gets internet interface and adapter details.


Checks the CPU name from registry, possibly for anti-virtualization (1 event)

  Using HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
windows registry GandCrab Checks system processer details and gets virtualization environment information.

Installs itself for autorun at Windows startup (1 event)

Using HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cwekmntohtt  windows registry set "C:\Users\user\AppData\Roaming\Microsoft\furqev.exe" key that is used to create Start-up in to windows system.
This ransomware copied itself into “%AppData%\Roaming\Microsoft\” folder and created startup registry. 

Image: System details exfiltration

Following image shows that grandcrab leverages many windows API which helped in getting system name, processor details, hard disc details, user information, network details, system name and configuration details. Using these details ransomware’s encryption function was build.

Wallpaper changed by Gandcrab ransomware


GandCrab had released many versions, however, 3   versions have the capability to change wallpaper of system.

Image: GandCrab change system wallpaper


The ransomware encrypts files and it forces the system to reboot. In our tests on Windows 10 and Windows 8.1 systems, the machine was able to start up normally, however, the wallpaper was changed by the malware.

System Information

GandCrab gathers system details such as IP, process details, presence of anti-virus, presence of virtualized environment and usage of any debugging tools using windows API and sends all the collected information to C2 server.

Image: Checks Presence of antivirus

Ransom-note

Once the ransomware has finished encrypting the computer, GandCrab drops ransom note through all directories on the computer. This ransom note is named GDCB-DECRYPT.txt and contains information on list of TOR gateways that can be used to access the payment site.

Image: Ransom-note of GrandCrab V3

TOR getaway of GandCrab “http://gandcrab2pie73et.onion/”.

Network Activity



When GandCrab ransomware is executed, the infected machine connects to some of the IP/domains and below activities were detected.

·     ipv4bot.whatismyipaddress.com

use for fetching system IP and location details.

·         66.171.248.178:80 (carder.bit)

"carder.bit" is a server that the ransomware communicates with.

It was found that the attacker used the following user-agent to obtain victim’s machine information.
GET / HTTP/1.1 Host: carder.bit User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache  200 OK“.

Impact

The malware collects data from the system and starts encrypts files on the victim’s environment. After encryption, C&C server is notified and the malware removes itself from the system.
New features and constant updates to source code makes GandCrab one of the most prevalent malware families to conduct widespread attacks. 

Remediation

 The following remediation are suggested:
  • Have a strong data storage, back up and restoration policy
  • Have a End point detection and response solution, which can thwart attacks that can evade Anti-Virus solutions
  • Ensure that all IT and Security software is up-to-date
  • Ensure that IT resources are exposed to the required personnel only. Eg – Port 3389, 445 etc.
  • Create awareness programs for employees on the best practice to followed by working on email and while on internet.

GandCrab Ransomware Version Metrics 


VERSIONGandCrab V1GandCrab V2GandCrab V3GandCrab V3.1GandCrab V4GandCrab V4.1
RELEASE Jan 31stMarch 5thApril 3rdMay 9th July 1stJuly 5th
AFFECTED VICTIMS50000N/AN/AN/AN/AN/A
RANSOM NOTE FILEGDCB-DECRYPT.txt.CRAB-DECRYPT.txtCRAB-DECRYPT.txtCRAB-DECRYPT.txtKRAB-DECRYPT.txtKRAB-DECRYPT.txt
EXTENSION .GDCB.CRAB.CRAB.CRAB.KRAB.KRAB 
DROP FILE %appdata% / <8hex-chars>.lock%appdata% / <8hex-chars>.lock%appdata% / <8hex-chars>.lock%appdata% / <8hex-chars>.lock%appdata% / <8hex-chars>.lock%appdata% / <8hex-chars>.lock
DATA ENCRYPTIONRSA-2048RSA-2048RSA-2048RSA-2048Salsa20Salsa20
EXPLOIT web exploit, PDF exploitSpam Mail CampaignSpam Mail Campaigninject payload svchost SMB Exploit
OTHER ATTRIBUTES (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)wallpaper change ,(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)contains a private and a public key,  (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
PACKER INFO hammeringReflectiveLoader ReflectiveLoader  ReflectiveLoader  
C&C  CONNECTIONAvailable Available Available Available  Available 
STRING OBFUSCATIONAvailable Available Available  Available  
INFO GATHERING #KeyboardLayoutCheck #mutex #AntiVirusChecks, #AntiVM #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C  #mutex #AutoRun #AntiAnalysis #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C  #mutex #AutoRun #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration #mutex #AntiVM #C&C  #deleteItSelf #UserName, #ComputerName #OperatingSystem #Processor #Architecture  #C&C #mutex #AntiVM #C&C #deleteItSelf #IP Address, #User name, #Computer #name,   #Network #DOMAIN, #Operating #System, #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration 
PROCESS LOAD encryption.dll, ReflectiveLoader()inject payload svchostinject payload svchostinject payload svchost  
DECRYPTION TOOL available (europol)     
RANSOM METHOD crypto-currency DASH (400 USD)crypto-currency DASH(800 USD)crypto-currency DASH (1200 USD)crypto-currency DASH (1200 USD)crypto-currency DASH (1,200 USD) crypto-currency DASH (4000 USD)